SQL Injection Vulnerability in The Events Calendar by Liquid Web / StellarWP
CVE-2026-49772
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 16 June 2026
Badges
What is CVE-2026-49772?
An SQL injection vulnerability exists in The Events Calendar plugin developed by Liquid Web and StellarWP, allowing for unauthorized access to the database through specifically crafted SQL commands. This can lead to sensitive data exposure or manipulation, impacting the integrity and security of affected WordPress installations. Versions from 6.15.12 to 6.16.2 are vulnerable, making it crucial for users to apply necessary updates to mitigate risks.
Affected Version(s)
The Events Calendar 6.15.12 <= 6.16.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved