CVE-2020-35012 – This SQL injection vulnerability in the Events ... (How to Fix)

📋 TL;DR

This SQL injection vulnerability in the Events Manager WordPress plugin allows attackers to execute arbitrary SQL commands on affected WordPress sites. It affects all WordPress installations using vulnerable versions of the plugin, potentially compromising site data and functionality.

💻 Affected Systems

Products:

Events Manager WordPress Plugin

Versions: All versions before 5.9.8

Operating Systems: All platforms running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions installed and activated.

📦 What is this software?

Events Manager by Pixelite

View all CVEs affecting Events Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, privilege escalation, or complete site takeover.

🟠

Likely Case

Unauthorized data access, including sensitive user information, event data, and potentially administrative credentials.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities are commonly exploited, and proof-of-concept details are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.9.8

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2336019/events-manager

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find Events Manager plugin
4. Click 'Update Now' if available
5. If manual update needed, download version 5.9.8+ from WordPress.org
6. Deactivate old plugin, upload new version, activate

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the Events Manager plugin until patched

wp plugin deactivate events-manager

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict database user permissions to read-only where possible

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Events Manager version number

Check Version:

wp plugin get events-manager --field=version

Verify Fix Applied:

Confirm plugin version is 5.9.8 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts following SQL patterns
Unexpected database errors in WordPress logs

Network Indicators:

HTTP requests with SQL injection patterns in parameters
Unusual database connection patterns

SIEM Query:

source="wordpress.log" AND "events-manager" AND ("SQL" OR "database error")

📊 Metadata

CVE ID: CVE-2020-35012

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 1, 2021

Last Updated: November 21, 2024

🔗 References

https://plugins.trac.wordpress.org/changeset/2336019/events-manager Patch,Third Party Advisory
https://wpscan.com/vulnerability/323140b1-66c4-4e7d-85a4-1c922e40866f Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2336019/events-manager Patch,Third Party Advisory
https://wpscan.com/vulnerability/323140b1-66c4-4e7d-85a4-1c922e40866f Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35012, you might also want to check these: