A serious SQL injection vulnerability (CVE-2025-9807) has been discovered in versions 6.15.1 and below of The Events Calendar WordPress plugin. The troubling part is:
- Unauthenticated access: An attacker does not need to be logged in to exploit this.
- Database risk: The exploit lets an attacker run arbitrary SQL queries, which can lead to data theft, data manipulation, and potentially a full compromise depending on the site’s configuration.
Because of its severity and the ease of exploitation, this is a high‐priority issue for anyone running a vulnerable version.
Source: Patchstack
What Workhorse Has Done
Here’s how we have you covered:
- Full Patch Deployment
We’ve already updated The Events Calendar plugin to version 6.15.1.1+ on all client sites where it was vulnerable. That removes the root cause of the vulnerability. - Virtual Patching / Protective Mitigations
In addition to applying the official patch, our clients are already protected by our virtual patching (vPatching) defenses. That means even if someone tried to exploit the site before or during the patching process, our protective layer prevents malicious SQL commands from being executed.
This layered approach ensures no window of exposure, even if automatic updates are delayed or something goes wrong.