cleantalk
Vulnerabilities and Security Researches

Community Events, CVE-2026-2429

CVE, Research URL

CVE-2026-2429

Home page URL

Security reports for Community Events

Application

Community Events

Published on
Mar 07, 2026
Research Description
The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'ce_venue_name' CSV field in the `on_save_changes_venues` function in all versions up to, and including, 1.5.8. This is due to insufficient escaping on the user-supplied CSV data and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a crafted CSV file upload.
Affected versions
max 1.5.9.
Status
vulnerable
Previous vulnerability researches
Germanized for WooCommerce (c7f8732ffdd5f3947de85d9aaed3c63d7a44299e) , Jun 07, 2024
Germanized for WooCommerce (CVE-2026-2582) , Apr 14, 2026
New vulnerability
Customer Reviews for WooCommerce (CVE-2026-1316) , Apr 15, 2026
WP Recipe Maker (CVE-2026-1558) , Apr 15, 2026
Page and Post Clone (CVE-2026-2893) , Apr 15, 2026
Greenshift – animation and page builder blocks (CVE-2026-2589) , Apr 15, 2026
Greenshift – animation and page builder blocks (CVE-2026-1927) , Apr 15, 2026