SQL Injection Vulnerability in NotFound WP Google Calendar Manager Plugin
CVE-2025-28939

8.5HIGH

Key Information:

Vendor: WordPress
Status: WP Google Calendar Manager
Vendor: CVE Published:; 26 March 2025

What is CVE-2025-28939?

The NotFound WP Google Calendar Manager plugin has been identified with a vulnerability that allows for the execution of blind SQL injection attacks. This flaw arises from improper handling of special elements within SQL commands, potentially exposing sensitive data to unauthorized access. Users of versions from n/a up to 2.1 are at risk, highlighting the need for immediate action to mitigate potential threats and secure site integrity.

Affected Version(s)

WP Google Calendar Manager <= 2.1

References

https://patchstack.com/database/wordpress/plugin/wp-gcale...

vdb-entry

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2025
Vulnerability Reserved
Mar 11, 2025

Credit

Trương Hữu Phúc (truonghuuphuc) (Patchstack Alliance)