CVE-2025-6970: 
WordPress vulnerability analysis and mitigation

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in versions up to and including 7.0.3. This vulnerability was discovered in July 2025 and assigned CVE-2025-6970. The vulnerability affects the WordPress plugin Events Manager, which is used for event registration and booking management (NVD).

The vulnerability stems from insufficient escaping on the user-supplied 'orderby' parameter and lack of sufficient preparation on the existing SQL query. This security flaw allows unauthenticated attackers to append additional SQL queries to existing queries, potentially extracting sensitive information from the database. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a high-severity issue with network accessibility and no required privileges (NVD).

The vulnerability allows unauthenticated attackers to perform SQL injection attacks that can be used to extract sensitive information from the database. Given the CVSS score and vector string, the vulnerability primarily impacts the confidentiality of the system, with no direct impact on integrity or availability (NVD).

The vulnerability has been patched in version 7.0.4 of the Events Manager plugin. Users are strongly advised to update to this version immediately. The fix includes improved parameter escaping and SQL query preparation (WordPress Plugin).