PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-69135 CurlyThemes CVE debrief

PatchSiren analyzed CVE-2025-69135, a HIGH severity vulnerability in Events Schedule - WordPress Events Calendar Plugin. This SQL Injection issue affects versions up to 2.7.2. The vulnerability allows subscribers to inject malicious SQL, potentially leading to unauthorized data access or modification. Users should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Vendor
CurlyThemes
Product
Events Schedule - WordPress Events Calendar Plugin
CVSS
HIGH 8.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Users of Events Schedule - WordPress Events Calendar Plugin version 2.7.2 or earlier should prioritize patching this HIGH severity vulnerability. Operators, platform administrators, vulnerability management teams, and security teams should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.

Technical summary

CVE-2025-69135 is a SQL Injection vulnerability in the Events Schedule - WordPress Events Calendar Plugin. The issue, rated HIGH with a CVSS score of 8.5, allows subscribers to inject malicious SQL. This vulnerability can be exploited by authenticated users with subscriber privileges, potentially leading to data breaches or system compromise.

Defensive priority

Patching is highly recommended due to the HIGH severity of this SQL Injection vulnerability. Defenders should prioritize verifying installed plugin versions, monitoring for suspicious activity, and applying compensating controls where necessary.

Recommended defensive actions

  • Apply the latest patch for Events Schedule - WordPress Events Calendar Plugin
  • Inventory and verify installed plugin versions
  • Monitor for suspicious database queries
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-06-17T13:19:18.903Z and last modified on 2026-06-17T15:16:38.007Z. The NVD entry is currently Deferred. This information is based on the supplied source corpus. Defenders should verify the accuracy of this information and review the official CVE record and NVD entry for further details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:19:18.903Z and has not been modified since then. The NVD entry is currently Deferred.