FooEvents for WooCommerce is an event ticketing plugin with tens of thousands of active installs. It works by converting WooCommerce orders into event tickets. Your attendee list, ticket assignments, check-in data, and event capacity all live as WooCommerce order records in your database. In late 2025, a SQL injection vulnerability let any subscriber-level user interact with that database directly.
CVE-2025-69045 FooEvents: How the Vulnerability Works
CVE-2025-69045 affects FooEvents versions up to and including 1.20.4, rated CVSS 8.5. An authenticated user with subscriber-level access can trigger the vulnerability. That is the lowest possible privilege level. Anyone can create this kind of account by registering on a site that allows user registration.
SQL injection means the attacker can send crafted input that the database interprets as commands rather than data. In this case: read everything, modify anything, delete at will. The Patchstack advisory notes the vulnerability allows a malicious actor to directly interact with the database. In a WooCommerce environment, that database holds every ticket, every customer name, every order, and every transaction record for every event on the platform.
CVE-2025-69045 FooEvents: What Subscriber-Level Access Actually Means
Subscriber is the default role WordPress assigns to anyone who registers an account on a site. On most WordPress installations with user registration enabled, getting a subscriber account requires nothing more than filling out a sign-up form. There’s no approval process. No admin interaction. No prior relationship with the site.
That’s the attack surface for CVE-2025-69045: register a free account on an event site, then send the malicious SQL request. On a FooEvents installation, this can wipe every WooCommerce order. Since FooEvents uses orders as tickets, that means every ticket for every event simultaneously. No hacking expertise required. No social engineering. No brute force. A free account and one request.
Why Event Ticketing Sites Are Particularly Exposed
For most WordPress sites, a database wipe is serious but recoverable. Content can come from backups. Customer records can reconstruct. For an event ticketing setup, the stakes are different. Tickets sell weeks or months in advance. Revenue collection happens before the event. The database isn’t just a record. It’s the operational infrastructure for something with a fixed date and 400 people expecting entry.
An attack timed for the day of an event – or the night before – leaves no clean recovery path. Backups help if they’re recent and if there’s time to restore. But the window between discovery and doors opening is often measured in hours, not days.
The Fix and What to Check
FooEvents patched the vulnerability in version 1.20.5. If you’re running any version up to 1.20.4, update immediately. If your site had user registration enabled while running a vulnerable version, audit recent user registrations and review database logs for unexpected queries.
Subscriber-level SQL injection vulnerabilities are particularly relevant for sites that allow open registration. Event ticket sales often do, since attendees need accounts to manage their bookings. Trusti Security’s vulnerability scanner flags installed plugins against a live CVE database. A match like CVE-2025-69045 surfaces in your dashboard as soon as it’s documented. That happens before it becomes an operational problem.