External risk intelligence

StellarWP The Events Calendar Blind SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-49772

A Blind SQL Injection vulnerability in The Events Calendar plugin may allow an attacker to inject malicious database commands and potentially access sensitive information. This issue is reachable via network requests and affects the underlying database. Organizations should confirm if this plugin is in use and assess p

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-49772

The vulnerability affects a WordPress plugin designed to manage and display calendars on public-facing websites. As a component of a web application typically exposed to the internet to allow user interaction with event listings, the vulnerable code is commonly reachable by remote visitors.

PCI scan relevance

PCI Relevance for CVE-2026-49772

Yes

CVE-2026-49772 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This SQL injection vulnerability in The Events Calendar is critical and likely to cause a PCI ASV scan to fail, requiring remediation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves a flaw in how a popular WordPress event management plugin handles user input, potentially allowing an attacker to manipulate database commands. While the direct business impact is unconfirmed, its presence in a widely used plugin warrants attention to verify if it is deployed within the organization and assess potential exposure.

  • Flaw allows attackers to inject malicious database commands.
  • Key issue is potential for unauthorized database access.
  • Confirm relevance and assess exposure within your environment.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests over the network. These requests target a feature within The Events Calendar plugin, potentially allowing the attacker to manipulate database queries. Successful exploitation could lead to unauthorized access to sensitive data or even limited control over the application's database.

  • Requires network access.
  • Triggers through crafted requests.
  • Risk of data exposure.

Live Threat

Current exploitation, exposure, and threat context

A SQL injection vulnerability in The Events Calendar could allow an unauthenticated attacker to execute arbitrary SQL commands on the underlying database when supported. This could potentially expose sensitive information or disrupt service.

  • Affects database content.
  • Via unauthenticated network requests.
  • Could lead to information disclosure.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Events Calendar, a WordPress plugin, has a Blind SQL Injection vulnerability. This issue is likely to affect the application owner and potentially the platform team responsible for the WordPress environment. The first practical step is to identify all instances of The Events Calendar within the environment, confirm their reachability from external networks, and determine their business criticality to prioritize remediation efforts.

  • Application owners should manage the fix.
  • Verify external reachability and business impact.
  • Coordinate vendor remediation or risk reduction.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is The Events Calendar plugin?

The Events Calendar is a popular WordPress plugin used to manage, schedule, and display event listings on websites. It acts as a bridge between a site's database and its visitors, allowing administrators to organize complex event data while providing a public-facing interface for users to browse schedules, venues, and event details directly within their browsers.

How does CVE-2026-49772 trigger SQL injection?

This vulnerability is classified as CWE-89, or Improper Neutralization of Special Elements used in an SQL Command. It occurs because the plugin fails to properly filter user-provided input before using it in database queries. This allows an attacker to inject their own SQL code, effectively tricking the database into executing unauthorized commands that can reveal information, rather than just retrieving the requested event details.

Does any specific user action trigger this bug?

No specific user action is required to trigger this vulnerability. The flaw is triggered by sending specially crafted network requests to the plugin. Because it is a Blind SQL injection, the attacker does not see direct errors; they observe how the application responds to these requests to infer database contents. Simply navigating the site normally or performing standard searches will not trigger this vulnerability.

Why is this CVE a concern for my website?

Halo Surface Signal notes that this plugin is typically used on public-facing websites to allow user interaction, meaning the vulnerable component is often directly reachable from the internet. If your site uses an affected version of The Events Calendar, attackers can send malicious requests over the network without needing authentication, potentially accessing sensitive information stored in your WordPress database.

What should I do if I run The Events Calendar?

Begin by auditing your environment to locate all instances of the plugin and identify which versions are currently active. Since the flaw affects versions 6.15.12 through 6.16.2, confirm if your sites are within this range. Prioritize sites that are exposed to the internet, as these are the most reachable. Coordinate with your team to apply official vendor updates as soon as they become available to neutralize the risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished