SQL Injection Vulnerability in The Events Calendar by Liquid Web / StellarWP
CVE-2026-49772

9.3CRITICAL

Key Information:

Vendor: WordPress
Status: The Events Calendar
Vendor: CVE Published:; 16 June 2026

What is CVE-2026-49772?

An SQL injection vulnerability exists in The Events Calendar plugin developed by Liquid Web and StellarWP, allowing for unauthorized access to the database through specifically crafted SQL commands. This can lead to sensitive data exposure or manipulation, impacting the integrity and security of affected WordPress installations. Versions from 6.15.12 to 6.16.2 are vulnerable, making it crucial for users to apply necessary updates to mitigate risks.

Affected Version(s)

The Events Calendar 6.15.12 <= 6.16.2

References

https://patchstack.com/database/wordpress/plugin/the-even...

vdb-entry

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
Jun 1, 2026

Credit

vtim | Patchstack Bug Bounty Program

CVE-2026-49772 Data

JSON