CVE-2026-49772: The Events Calendar Blind SQL Injection
A critical blind SQL injection (SQLi) vulnerability has been disclosed in The Events Calendar, a widely deployed WordPress plugin maintained by StellarWP (a division of Liquid Web). Tracked as CVE-2026-49772 with a CVSS score of 9.3 (Critical), the flaw allows attackers to extract arbitrary data from the WordPress database without authentication.
The vulnerability affects plugin versions 6.15.12 through 6.16.2 and is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-49772 |
| CVSS Score | 9.3 (Critical) |
| CWE Classification | CWE-89 — SQL Injection |
| Attack Type | Blind SQL Injection |
| Affected Plugin | The Events Calendar (StellarWP / Liquid Web) |
| Affected Versions | 6.15.12 through 6.16.2 |
| Authentication Required | None |
| Patch Available | Update to version after 6.16.2 |
Technical Background
The Events Calendar is one of the most installed event management plugins for WordPress, powering event listings on hundreds of thousands of sites. The SQL injection vulnerability exists within the plugin's query-handling layer, where user-supplied input is incorporated into database queries without adequate sanitization or parameterization.
Blind SQL injection means the attack response does not directly display database content in the HTTP response. Instead, attackers infer database contents by:
- Boolean-based blind SQLi — Injecting conditions that change page behavior (e.g.,
AND 1=1vs.AND 1=2) to extract data bit-by-bit - Time-based blind SQLi — Using
SLEEP()orBENCHMARK()functions to cause measurable response delays that encode extracted data
A typical injection payload targeting this class of vulnerability:
-- Boolean-based extraction
1 AND SUBSTRING((SELECT password FROM wp_users LIMIT 1),1,1)='a'
-- Time-based extraction
1 AND SLEEP(5)--Because no authentication is required, this vulnerability is exploitable by any unauthenticated visitor to a site running an affected version.
Attack Flow
1. Attacker identifies a WordPress site running The Events Calendar 6.15.12 - 6.16.2
2. Attacker sends crafted HTTP request with SQLi payload to a vulnerable
plugin endpoint (event query, REST API, or search function)
3. Plugin passes unsanitized input to MySQL query
4. Attacker uses boolean or time-based blind techniques to extract:
- WordPress admin credentials (wp_users table)
- User email addresses
- Plugin option values (API keys, tokens stored in wp_options)
- Any other database content accessible to the wp DB user
5. With extracted credentials, attacker achieves WordPress admin access
and full site compromiseScope and Prevalence
The Events Calendar is among the top 10 most installed WordPress plugins globally, with:
- Millions of active installations across WordPress sites
- Common deployment in venues, schools, churches, nonprofits, and event-driven businesses
- Often installed alongside companion plugins (Events Calendar Pro, The Tribe Tickets) that may extend the attack surface
The CVSS 9.3 critical rating reflects the low attack complexity and complete absence of authentication requirements — any site on an affected version is immediately at risk.
Remediation
Update the Plugin
Update The Events Calendar to a version after 6.16.2 via the WordPress admin or WP-CLI:
# Update via WP-CLI
wp plugin update the-events-calendar
# Confirm installed version
wp plugin get the-events-calendar --field=versionOr navigate to WordPress Admin > Plugins > The Events Calendar > Update Now.
Interim Mitigations (Pre-Patch)
If immediate patching is not possible:
- Web Application Firewall (WAF) — Deploy Wordfence, Sucuri, or Cloudflare WAF with SQL injection rule sets enabled
- Database user privilege reduction — Ensure the WordPress database user has only
SELECT,INSERT,UPDATE,DELETEprivileges; revokeFILE,SUPER, andEXECUTE - Disable the plugin temporarily — If events functionality is non-critical, deactivate until a patch is applied
- Monitor database queries — Enable query logging and alert on anomalous
SLEEP(),BENCHMARK(),UNION SELECT, orINFORMATION_SCHEMAaccess patterns
Detection
Watch for signs of exploitation in web server and database logs:
# Scan access logs for common SQLi patterns
grep -iE "(UNION SELECT|SLEEP\(|BENCHMARK\(|INFORMATION_SCHEMA|0x[0-9a-f]+)" \
/var/log/nginx/access.log | tail -200
# Check for unusual response time spikes (time-based SQLi signature)
grep " 5[0-9]{3} " /var/log/nginx/access.log | awk '{print $7}' | sort | uniq -c | sort -rn
# Enable MySQL general query log temporarily
SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/log/mysql/general.log';Impact Assessment
| Impact Area | Severity | Description |
|---|---|---|
| Credential Exposure | Critical | WordPress admin password hashes extractable |
| PII Leak | High | User emails, names, and event registrant data at risk |
| Plugin Config Data | High | API keys and tokens stored in wp_options can be extracted |
| Full Site Takeover | Critical | Password hash extraction enables offline cracking and admin login |
| Exploitation Barrier | Low | No authentication or special privileges required |
Key Takeaways
- CVE-2026-49772 is a critical blind SQL injection in The Events Calendar versions 6.15.12–6.16.2 by StellarWP
- CVSS 9.3 Critical — unauthenticated exploitation, low attack complexity
- No authentication required — any HTTP request to a vulnerable endpoint can trigger data exfiltration
- Immediate action: Update to a fixed version; deploy WAF rules as an interim control
- Audit wp_options and wp_users if your site ran an affected version — assume credential exposure is possible