TL;DR
Versions 6.15.1.1 through 6.15.9 of The Events Calendar WordPress plugin fail to escape thesquery parameter before building a database query. Because the vulnerable endpoint is reachable without authentication, an attacker can perform blind SQL injection and steal data such as user emails, password hashes and event attendee information. Upgrading to 6.15.10 fixes the issue.
1. Summary
| CVE ID | CVE-2025-12197 |
| Affected Product(s) | The Events Calendar for WordPress 6.15.1.1 – 6.15.9 |
| Volerion Risk Score | 7.1 / 10 |
| Exploit Status | No public PoC at publication time |
| CISA KEV | No |
Over 800 000 WordPress sites use The Events Calendar to manage community meet-ups, ticket sales and conferences. A single crafted GET request against the /events/ endpoint is enough to manipulate the underlying SQL query and leak arbitrary rows. Because WordPress stores credentials and personal data in the same database, successful exploitation can lead to full account takeover.
2. Context – Why this vulnerability matters to WordPress administrators
The Events Calendar is in the top percentile of WordPress plugins by active installations and is often bundled with commercial themes or installed by non-technical site owners. Many of those sites sit behind shared hosting where database servers are exposed only to localhost, giving administrators a false sense of security. A blind SQL injection that does not require login breaks that assumption and hands attackers a path to:
- Enumerate user tables and export password hashes for offline cracking
- Download PII such as attendee lists, email addresses and order data
- Plant a rogue administrator account by abusing serialized options
Mass exploitation campaigns have historically targeted similar WordPress injection bugs within days. Even without a public PoC, the triviality of the coding error means reliable exploits are easy to develop.
3. Technical Details – From innocent search box to database exfiltration
The plugin adds a search feature that accepts an s parameter, which is passed into the tribe_repository_factory()->get_event_repository()->where('post_title LIKE "%'.$s.'%"') chain. Prior to version 6.15.10 the string is concatenated directly into the LIKE clause without using $wpdb->prepare().
Because MySQL terminates a string literal with a quote, an attacker can close the clause and append boolean logic. Although direct union responses are suppressed by WordPress, time-based payloads reveal information through response delays.
/events/?s=" OR IF((SELECT COUNT(*) FROM wp_users WHERE user_login='admin')>0,SLEEP(3),0) AND "a"="aThe request above adds a three-second delay only if the admin user exists. By iterating character by character attackers extract password hashes or other confidential data.
The patch introduces a prepared statement via $wpdb->prepare( 'post_title LIKE %s', "%{$s}%" ), which safely escapes user input.
4. Impact – What an attacker gains
A successful exploit grants read access to the entire WordPress database. Impact scales with the data stored:
Site defacement or malware drops follow once the attacker obtains a valid administrator cookie or cracks a hash. For organisations that use The Events Calendar for ticketing, GDPR and CCPA disclosure obligations can be triggered because attendee names and emails reside in the same tables.
5. Remediation – What you should do now
Upgrade to The Events Calendar 6.15.10 or any newer version. Administrators who cannot patch immediately should implement a short-term Web Application Firewall rule that blocks requests containing the s parameter to /events paths. Disabling search altogether also removes the attack surface but degrades usability.
Nothing else in the plugin requires configuration changes after applying the update, and no database migrations occur between 6.15.9 and 6.15.10.
6. Timeline
| Date (UTC) | Milestone |
|---|---|
| 2025-11-05 05:15 | CVE-2025-12197 published |
| 2025-11-05 05:18 | Volerion completes enrichment and publishes risk score |
7. References
- Wordfence advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/bc927a93-0cb2-4211-9f93-c0671039011e?source=cve
- Vendor changeset: https://plugins.trac.wordpress.org/changeset/3386042/the-events-calendar
About Volerion
Volerion delivers AI-driven enrichment minutes after a CVE goes live. A single call to our REST API returns CVSS 4.0 vectors, exploitability metrics and affected products complete with remediation. Additionally, we offer different scoring profiles, complete with insight into the eight comprehensive categories that make up the final score. Our API is also available in the tradditional NVD API 2.0 format, so integration is as simple as swapping hosts. Spend less time parsing CVEs and more time closing them.
How the Volerion Risk Score Fits With CVSS, EPSS and KEV
At the time of writing:
- This CVE is scored at 7.5 using CVSS 3.1. The score reflects high confidentiality impact and the lack of required privileges but does not account for real-world exploit activity.
- EPSS currently sits at 0 because not enough telemetry exists for a predictive score. Absence of data does not imply safety, only uncertainty.
- The vulnerability is not in CISA’s KEV catalogue, meaning US federal agencies do not have a binding directive yet.
The Volerion Risk Score combines these signals with additional factors such as exploit maturity, product popularity and remediation effort. For CVE-2025-12197 the score is 7.1, which places it in our high-risk band and justifies prioritised patching on production sites.