Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
4025 articles · 176782 vulns · 36/41 feeds (7d)
← Back to list
7.5
CVE-2026-9700EXPLOITED
wordpress · eventer

Eventer <= 4.4.2 - Unauthenticated SQL Injection via 'code' Parameter

Description

The Eventer plugin for WordPress is vulnerable to time-based SQL Injection via the ‘code’ parameter in all versions up to, and including, 4.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Affected Products

VendorProductVersions
wordpresseventer0

References

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3b0a3a-ce4b-40fd-9519-a81e315cee42?source=cve
  • https://codecanyon.net/item/eventer-wordpress-event-manager-plugin/20972534

Related News (1 articles)

Tier C
VulDB9d ago
CVE-2026-9700 | joe007 Eventer Plugin up to 4.4.2 SQL Query code sql injection
→ No new info (linked only)
CVSS 3.17.5 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA KEV❌ No
Actively exploited✅ Yes
CWECWE-89
PublishedJul 8, 2026
Last enriched9d agov2
Trending Score13
Source articles1
Independent1
Info Completeness8/14
Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-63030EXPKEV
WordPress < 7.0.2 - REST API batch-route confusion and SQL injection issue leading to Remote Code Execution
Trending: 124
CRITICALCVE-2026-60137
WordPress < 7.0.2 - Facilitated SQL Injection via author__not_in in WP_Query
Trending: 44
MEDIUMCVE-2026-12097EXP
User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modification
Trending: 12
CRITICALCVE-2026-6382EXP
Multiple elFinder Plugins - Authenticated OS Command Injection
Trending: 9
HIGHCVE-2026-8441EXP
WP Review Slider Pro <= 12.7.2 - Unauthenticated SQL Injection via 'notinstring' Parameter
Trending: 6

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 8, 2026
Discovered by ZDM
Jul 8, 2026
Updated: severity, activelyExploited
Jul 8, 2026
Actively Exploited
Jul 8, 2026

Version History

v2
Last enriched 9d ago
v2Tier C9d ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited.

severityactivelyExploited
via VulDB
v19d ago

Initial creation