How is CVE-2026-49772 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker can reach it from the internet without any prior foothold on the host. Authentication (not-required): No account or session token is needed; the injection can be triggered by any unauthenticated HTTP request. Victim interaction (not-required): No user action is required; the attacker interacts directly with the server endpoint. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental prerequisites.

What is the impact of CVE-2026-49772?

An attacker can extract arbitrary rows from the WordPress database through blind SQL injection techniques, including user credentials, password hashes, session tokens, and stored event data. Database availability is partially impacted; resource-heavy injected queries can degrade or briefly disrupt query processing on the affected instance. Because the CVSS scope is Changed, a successful injection against the WordPress database layer can expose data belonging to other applications or tenants sharing the same database server.

Back to search

CRITICALCVE-2026-49772Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-49772: WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection. This issue affects The Events Calendar: from 6.15.12 through 6.16.2.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection vulnerability in the The Events Calendar WordPress plugin (versions 6.15.12 through 6.16.2) allows an unauthenticated remote attacker to send crafted HTTP requests to the affected site without any prior login. Successful exploitation enables blind SQL injection against the underlying database, giving an attacker read access to sensitive stored data and limited ability to disrupt service availability. No fix version has been published yet; HarborGuard tracks the upstream advisory and will surface a patched-image rebuild the moment one becomes available.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle The Events Calendar plugin. Any image containing an affected version (6.15.12 through 6.16.2) is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released by Liquid Web or StellarWP. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for affected workloads and egress filtering on database-layer traffic.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker can reach it from the internet without any prior foothold on the host.
AuthenticationNot required
No account or session token is needed; the injection can be triggered by any unauthenticated HTTP request.
Victim interactionNot required
No user action is required; the attacker interacts directly with the server endpoint.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental prerequisites.

Blast Radius

An attacker can extract arbitrary rows from the WordPress database through blind SQL injection techniques, including user credentials, password hashes, session tokens, and stored event data.
Database availability is partially impacted; resource-heavy injected queries can degrade or briefly disrupt query processing on the affected instance.
Because the CVSS scope is Changed, a successful injection against the WordPress database layer can expose data belonging to other applications or tenants sharing the same database server.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all customer images that bundle The Events Calendar plugin in the affected version range (6.15.12 through 6.16.2). Because no upstream patch exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically once a fix version is published; for customers with auto-remediation enabled, that rebuild triggers a regression run and a PR opened against affected workloads without manual intervention. While no patch is available, customers can use HarborGuard's policy engine to apply compensating controls: network-policy isolation to restrict external access to affected WordPress instances, egress filtering between the application and database tiers, and feature-flag or plugin-disable options surfaced through the remediation workflow. The severity of 9.3 CRITICAL with no authentication barrier makes prompt compensating action the recommended posture until an upstream fix is published.

See how HarborGuard automates this

Affected packages

Liquid Web / StellarWP / The Events Calendar
≤ 6.16.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified