CVE-2021-24943

CRITICAL EXPLOITED NUCLEI

Events Calendar <2.7.6 - SQL Injection

Title source: llm

Description

The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.

Nuclei Templates (1)

Registrations for the Events Calendar < 2.7.6 - SQL Injection

CRITICALVERIFIEDby ritikchaddha

Shodan: http.html:/wp-content/plugins/registrations-for-the-events-calendar/

FOFA: body=/wp-content/plugins/registrations-for-the-events-calendar/

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/ba50c590-42ee-4523-8aa0-87ac644b77ed

Scores

CVSS v3 9.8

EPSS 0.5545

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-11-08

CWE

CWE-89

Status published

Products (1)

roundupwp/registrations_for_the_events_calendar < 2.7.6

Published Dec 06, 2021

Tracked Since Feb 18, 2026