The Eventer plugin for WordPress is vulnerable to time-based SQL Injection via the ‘code’ parameter in all versions up to, and including, 4.4.2. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Unaffected versions are unavailable. The vulnerability allows unauthenticated attackers to append additional SQL queries into already [truncated]
The Eventer plugin for WordPress has a critical vulnerability (CVE-2026-9701) allowing unauthenticated attackers to reset passwords for any user, including administrators, due to an insecure password reset mechanism. This vulnerability is particularly concerning because it can be exploited in conjunction with other vulnerabilities, such as SQL Injection (CVE-2026-9700), to gain unauthorized access to user [truncated]