ZeroPath at Black Hat USA 2026

The Events Calendar Plugin CVE-2026-49772: Brief Summary of Critical Blind SQL Injection Affecting 700,000+ WordPress Sites

A brief summary of CVE-2026-49772, a critical unauthenticated blind SQL injection vulnerability in The Events Calendar WordPress plugin versions 6.15.12 through 6.16.2, representing the third SQL injection flaw in the plugin in under a year.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-16

The Events Calendar Plugin CVE-2026-49772: Brief Summary of Critical Blind SQL Injection Affecting 700,000+ WordPress Sites
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A critical unauthenticated blind SQL injection vulnerability in The Events Calendar WordPress plugin puts over 700,000 active installations at risk of database compromise without requiring any attacker credentials. What makes CVE-2026-49772 particularly notable is that it represents the third SQL injection CVE affecting this plugin in under a year, following a pattern of incomplete remediations that points to deeper architectural issues in the plugin's database query layer.

The Events Calendar is one of the most widely used event management plugins in the WordPress ecosystem, with over 700,000 active installations and a history stretching back to January 2010. It is maintained by Nexcess under Liquid Web (formerly marketed under the StellarWP brand) and is used by organizations of all sizes to manage and display events on WordPress sites.

Technical Information

Vulnerability Classification and Scope

CVE-2026-49772 is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and falls within the OWASP Top 10 category A3: Injection. The CVSS score of 9.3, assigned by Patchstack, places it firmly in the critical severity range. The NVD record is currently in "Received" status and has not yet published its own CVSS vector breakdown.

The vulnerability affects The Events Calendar versions 6.15.12 through 6.16.2. This version range is significant: it begins after the patches for the two prior SQL injection CVEs (CVE-2025-9807, patched in 6.15.1.1, and CVE-2025-12197, patched in 6.15.10). This means the vulnerability was either introduced or reintroduced in the 6.15.12 codebase, not carried over from the earlier flaws.

Root Cause Analysis

The prior CVEs in this plugin provide substantial insight into the likely root cause. Both CVE-2025-9807 (time based SQL injection, versions up to 6.15.1) and CVE-2025-12197 (blind SQL injection, versions 6.15.1.1 through 6.15.9) exploited the 's' parameter (the search query parameter) in the plugin's custom query logic within src/Events/Custom_Tables/V1/WP_Query/Custom_Tables_Query.php. The core issue was a lack of prepared statements and insufficient escaping of user input before it was incorporated into SQL queries.

CVE-2025-12197 was explicitly described as a continuation of CVE-2025-9807, where an incomplete remediation left the core vulnerability unresolved, allowing similar exploitation via the same parameter in subsequent versions. This establishes a clear pattern: point fixes addressing specific injection vectors without resolving the underlying architectural weakness in how the plugin constructs database queries.

While the specific parameter and code path for CVE-2026-49772 have not been publicly detailed, the recurring pattern strongly suggests the plugin's custom query construction in Custom_Tables_Query.php carries architectural debt that individual patches have not fully addressed.

Attack Vector and Exploitation Method

The vulnerability is unauthenticated, meaning any remote attacker can target affected installations without needing WordPress credentials. This dramatically lowers the barrier to exploitation and makes automated scanning and mass exploitation feasible.

As a blind SQL injection vulnerability, the application does not return database errors or query results directly in HTTP responses. Instead, attackers must infer data through indirect observations using two primary techniques:

Boolean based blind SQL injection: The attacker constructs payloads that pose true/false questions to the database. The application's response differs depending on whether the injected condition evaluates to true or false. By systematically testing conditions, an attacker can extract data bit by bit. For example, an attacker might test whether the first character of the admin password hash is greater than a certain ASCII value, and the differing response reveals the answer.

Time based blind SQL injection: The attacker injects database timing functions such as SLEEP() or BENCHMARK() in MySQL. When a condition is true, the server response is delayed by the specified duration. By measuring response times, attackers infer the truth of each condition and extract data character by character. This technique is slower but works even when the application returns identical responses for true and false conditions.

Exploitation Flow

Based on the characteristics of this vulnerability and the related prior CVEs, the likely exploitation flow is:

  1. The attacker identifies a WordPress site running a vulnerable version of The Events Calendar (versions 6.15.12 through 6.16.2). Version detection can be performed through publicly accessible plugin metadata.
  2. The attacker crafts a request to the plugin's search or query endpoint, injecting SQL syntax into the vulnerable parameter.
  3. Since the injection is blind, the attacker uses boolean based or time based inference to confirm the injection point is exploitable.
  4. Using automated tooling (blind SQL injection can be fully automated with tools like sqlmap), the attacker systematically extracts database contents, including WordPress user credentials, site configuration data, and any other information stored in the database.
  5. With extracted admin credentials or other sensitive data, the attacker can escalate to full site compromise, potentially deploying web shells or modifying site content.

The Patchstack advisory states that the vulnerability "allows malicious actors to directly interact with the database to steal information."

Why This Matters at Scale

Patchstack assesses this vulnerability as "highly dangerous and expected to become exploited," noting that "vulnerabilities like this one are used in mass exploit campaigns." The combination of unauthenticated access, a 700,000+ installation base, and the fully automatable nature of blind SQL injection creates conditions favorable for large scale exploitation. VulnCheck's State of Exploitation 2026 report noted that 28.96% of KEVs in 2025 were exploited on or before the day their CVE was published, underscoring how quickly threat actors move on high value vulnerabilities.

Affected Systems and Versions

AttributeValue
PluginThe Events Calendar
VendorLiquid Web / StellarWP (Nexcess)
Affected Versions6.15.12 through 6.16.2
Patched Version6.16.3
WordPress Requirement6.7 or higher
PHP Requirement7.4 or higher
Active Installations700,000+
CVSS Score9.3 (Patchstack)
Authentication RequiredNone
CWECWE-89

Any WordPress site running The Events Calendar versions 6.15.12, 6.15.13, 6.16.0, 6.16.1, or 6.16.2 is vulnerable. The vulnerability is unauthenticated, so any internet facing installation in this version range is exposed regardless of WordPress user configuration or role settings.

Version 6.16.3 is the patched release and is available from the WordPress plugin repository. The plugin was last updated on May 28, 2026. Notably, the WordPress.org changelog for 6.16.3 does not explicitly reference a security fix, listing functional bug fixes and language updates instead, which suggests the security patch was applied without public changelog notation.

Vendor Security History

The Events Calendar has a concerning recent history of SQL injection vulnerabilities. The following table summarizes the pattern:

CVETypeAffected VersionsSeverityStatus
CVE-2024-8275Unauthenticated SQL InjectionUp to 6.14.2HighPatched
CVE-2025-9807Time based SQL InjectionUp to 6.15.1HighPatched
CVE-2025-12197Blind SQL Injection6.15.1.1 through 6.15.9HighPatched
CVE-2025-30794Reflected XSS (Event Tickets)Up to 5.20.0MediumPatched
CVE-2026-49772Blind SQL Injection6.15.12 through 6.16.29.3 (Critical)Patched in 6.16.3

Three SQL injection CVEs in under a year is a significant pattern. CVE-2025-12197 was explicitly caused by an incomplete fix for CVE-2025-9807, and the reemergence of blind SQL injection in CVE-2026-49772 raises questions about whether the vendor's remediation process is addressing root causes or treating symptoms.

StellarWP as a vendor has 122 published CVE records since 2019, with 10 CVEs having known public exploits. None have appeared in CISA's Known Exploited Vulnerabilities catalog.

Adding to the context, Liquid Web retired the StellarWP brand in May 2026, consolidating its product portfolio. The Events Calendar is one of four core products that will continue receiving support. However, a small number of older themes and tools under the former StellarWP umbrella will receive critical security patches only through April 2027, after which no further support will be provided. The organizational disruption associated with this transition may affect security engineering capacity.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization