EventON WordPress Plugin SQL Injection Exposes Database Contents (CVE-2026-9711)
Scope: EventON WordPress Plugin (Versions Affected, Exact Range Unspecified in Source Material)
Severity: High
A SQL injection vulnerability in the EventON WordPress plugin allows attackers to inject arbitrary SQL commands, enabling unauthorized access to sensitive database contents including user credentials, personal information, event data, and application secrets stored in the WordPress database. Depending on database server configuration, successful exploitation may also enable modification or deletion of records, privilege escalation within the WordPress application, or pivoting to additional systems accessible via the database connection. Administrators running EventON should update to the latest patched version immediately via the WordPress admin dashboard, audit database contents for signs of unauthorized access or data modification, enforce database user least privilege so the WordPress database user has no file read or write permissions, and deploy a WAF to filter SQL injection patterns against WordPress endpoints.
The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.