CVE-2026-49772 PUBLISHED

WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability

Assigner: Patchstack
Reserved: 01.06.2026 Published: 16.06.2026 Updated: 16.06.2026

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection.

This issue affects The Events Calendar: from 6.15.12 through 6.16.2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
CVSS Score: 9.3

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Liquid Web / StellarWP
Product	The Events Calendar
Versions	Default: unaffected affected from 6.15.12 to 6.16.2 (incl.)

Solutions

Update the WordPress The Events Calendar Plugin to the latest available version (at least 6.16.3).

Credits

vtim | Patchstack Bug Bounty Program finder

References

https://patchstack.com/database/wordpress/plugin/the-events-calendar/vulnerability/wordpress-the-events-calendar-plugin-6-15-12-6-16-2-sql-injection-vulnerability?_s_id=cve

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE

Impacts

CAPEC-7 Blind SQL Injection