CVE-2020-35012: 
WordPress vulnerability analysis and mitigation

The Events Manager WordPress plugin before version 5.9.8 contains a SQL injection vulnerability (CVE-2020-35012) that was discovered on June 7, 2020. The vulnerability affects the Events Manager plugin and was fixed in version 5.9.8. The issue was identified by Antony Garand from GoDaddy (WPScan).

The vulnerability stems from improper input validation where the plugin fails to sanitize and escape a parameter before using it in a SQL statement, leading to SQL injection. The vulnerability has a CVSS v3.1 base score of 7.2 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-89 (SQL Injection) and falls under the OWASP Top 10 category A1: Injection (AttackerKB, WPScan).

The vulnerability could allow an attacker to execute arbitrary SQL commands on the affected database, potentially leading to unauthorized access, data manipulation, and data theft. The CVSS metrics indicate high impact on confidentiality, integrity, and availability of the system (AttackerKB).

Users should upgrade to Events Manager version 5.9.8 or later to address this vulnerability. The fix was implemented in the plugin's codebase and is available through the WordPress plugin repository (WordPress Plugin Repository).