CVE-2024-8275

CRITICAL

The Events Calendar <6.6.4 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-8275. PoCs published by p33d.

AI-analyzed exploit summary This PoC demonstrates a SQL injection vulnerability in The Events Calendar WordPress plugin by exploiting the unsanitized 'order' parameter in the tribe_has_next_event function. It includes a basic SQLi test and generates a sqlmap command for further exploitation.

Description

The The Events Calendar plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'tribe_has_next_event' function in all versions up to, and including, 6.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Only sites that have manually added tribe_has_next_event() will be vulnerable to this SQL injection.

Exploits (1)

nomisec WORKING POC

by p33d · poc

https://github.com/p33d/CVE-2024-8275

View Code ZIP pw:eip

This PoC demonstrates a SQL injection vulnerability in The Events Calendar WordPress plugin by exploiting the unsanitized 'order' parameter in the tribe_has_next_event function. It includes a basic SQLi test and generates a sqlmap command for further exploitation.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: The Events Calendar WordPress plugin (versions up to 6.6.4)

No auth needed

Prerequisites: Python 3 · requests library · sqlmap (optional)

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Product

https://docs.theeventscalendar.com/reference/functions/tribe_has_next_event/

Patch

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3152853%40the-events-calendar&new=3152853%40the-events-calendar&sfp_email=&sfph_mail=#file18

Product

https://theeventscalendar.com/knowledgebase/customizing-template-files-2-legacy/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/f59891c7-db1a-4688-8616-8877d7d7960d?source=cve

Scores

CVSS v3 9.8

EPSS 0.8354

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Products (2)

stellarwp/The Events Calendar < 6.6.4

stellarwp/the_events_calendar < 6.6.4.1

Published Sep 25, 2024

Tracked Since Feb 18, 2026