CVE-2022-1905: 
WordPress vulnerability analysis and mitigation

The Events Made Easy WordPress plugin versions prior to 2.2.81 contained an unauthenticated SQL injection vulnerability, identified as CVE-2022-1905. The vulnerability was discovered and publicly disclosed on May 30, 2022. The issue stems from improper sanitization and escaping of parameters in SQL statements that are accessible through AJAX actions (WPScan, NVD).

The vulnerability is classified as a SQL injection (SQLI) with a CVSS score of 8.6 (High). It falls under the OWASP Top 10 category A1: Injection and is identified as CWE-89. The issue occurs when the plugin fails to properly sanitize and escape parameters before using them in SQL statements via an AJAX action that is accessible to unauthenticated users (WPScan).

This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries against the WordPress database. Attackers can potentially extract sensitive information, including user credentials, by exploiting the SQL injection vulnerability in the AJAX functionality (WPScan).

The vulnerability has been patched in version 2.2.81 of the Events Made Easy plugin. Website administrators are strongly advised to update to this version or later to protect against potential attacks (WPScan).