Introduction
A critical unauthenticated blind SQL injection vulnerability in The Events Calendar WordPress plugin puts over 700,000 active installations at risk of database compromise without requiring any attacker credentials. What makes CVE-2026-49772 particularly notable is that it represents the third SQL injection CVE affecting this plugin in under a year, following a pattern of incomplete remediations that points to deeper architectural issues in the plugin's database query layer.
The Events Calendar is one of the most widely used event management plugins in the WordPress ecosystem, with over 700,000 active installations and a history stretching back to January 2010. It is maintained by Nexcess under Liquid Web (formerly marketed under the StellarWP brand) and is used by organizations of all sizes to manage and display events on WordPress sites.
Technical Information
Vulnerability Classification and Scope
CVE-2026-49772 is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and falls within the OWASP Top 10 category A3: Injection. The CVSS score of 9.3, assigned by Patchstack, places it firmly in the critical severity range. The NVD record is currently in "Received" status and has not yet published its own CVSS vector breakdown.
The vulnerability affects The Events Calendar versions 6.15.12 through 6.16.2. This version range is significant: it begins after the patches for the two prior SQL injection CVEs (CVE-2025-9807, patched in 6.15.1.1, and CVE-2025-12197, patched in 6.15.10). This means the vulnerability was either introduced or reintroduced in the 6.15.12 codebase, not carried over from the earlier flaws.
Root Cause Analysis
The prior CVEs in this plugin provide substantial insight into the likely root cause. Both CVE-2025-9807 (time based SQL injection, versions up to 6.15.1) and CVE-2025-12197 (blind SQL injection, versions 6.15.1.1 through 6.15.9) exploited the 's' parameter (the search query parameter) in the plugin's custom query logic within src/Events/Custom_Tables/V1/WP_Query/Custom_Tables_Query.php. The core issue was a lack of prepared statements and insufficient escaping of user input before it was incorporated into SQL queries.
CVE-2025-12197 was explicitly described as a continuation of CVE-2025-9807, where an incomplete remediation left the core vulnerability unresolved, allowing similar exploitation via the same parameter in subsequent versions. This establishes a clear pattern: point fixes addressing specific injection vectors without resolving the underlying architectural weakness in how the plugin constructs database queries.
While the specific parameter and code path for CVE-2026-49772 have not been publicly detailed, the recurring pattern strongly suggests the plugin's custom query construction in Custom_Tables_Query.php carries architectural debt that individual patches have not fully addressed.
Attack Vector and Exploitation Method
The vulnerability is unauthenticated, meaning any remote attacker can target affected installations without needing WordPress credentials. This dramatically lowers the barrier to exploitation and makes automated scanning and mass exploitation feasible.
As a blind SQL injection vulnerability, the application does not return database errors or query results directly in HTTP responses. Instead, attackers must infer data through indirect observations using two primary techniques:
Boolean based blind SQL injection: The attacker constructs payloads that pose true/false questions to the database. The application's response differs depending on whether the injected condition evaluates to true or false. By systematically testing conditions, an attacker can extract data bit by bit. For example, an attacker might test whether the first character of the admin password hash is greater than a certain ASCII value, and the differing response reveals the answer.
Time based blind SQL injection: The attacker injects database timing functions such as SLEEP() or BENCHMARK() in MySQL. When a condition is true, the server response is delayed by the specified duration. By measuring response times, attackers infer the truth of each condition and extract data character by character. This technique is slower but works even when the application returns identical responses for true and false conditions.
Exploitation Flow
Based on the characteristics of this vulnerability and the related prior CVEs, the likely exploitation flow is:
- The attacker identifies a WordPress site running a vulnerable version of The Events Calendar (versions 6.15.12 through 6.16.2). Version detection can be performed through publicly accessible plugin metadata.
- The attacker crafts a request to the plugin's search or query endpoint, injecting SQL syntax into the vulnerable parameter.
- Since the injection is blind, the attacker uses boolean based or time based inference to confirm the injection point is exploitable.
- Using automated tooling (blind SQL injection can be fully automated with tools like sqlmap), the attacker systematically extracts database contents, including WordPress user credentials, site configuration data, and any other information stored in the database.
- With extracted admin credentials or other sensitive data, the attacker can escalate to full site compromise, potentially deploying web shells or modifying site content.
The Patchstack advisory states that the vulnerability "allows malicious actors to directly interact with the database to steal information."
Why This Matters at Scale
Patchstack assesses this vulnerability as "highly dangerous and expected to become exploited," noting that "vulnerabilities like this one are used in mass exploit campaigns." The combination of unauthenticated access, a 700,000+ installation base, and the fully automatable nature of blind SQL injection creates conditions favorable for large scale exploitation. VulnCheck's State of Exploitation 2026 report noted that 28.96% of KEVs in 2025 were exploited on or before the day their CVE was published, underscoring how quickly threat actors move on high value vulnerabilities.
Affected Systems and Versions
| Attribute | Value |
|---|---|
| Plugin | The Events Calendar |
| Vendor | Liquid Web / StellarWP (Nexcess) |
| Affected Versions | 6.15.12 through 6.16.2 |
| Patched Version | 6.16.3 |
| WordPress Requirement | 6.7 or higher |
| PHP Requirement | 7.4 or higher |
| Active Installations | 700,000+ |
| CVSS Score | 9.3 (Patchstack) |
| Authentication Required | None |
| CWE | CWE-89 |
Any WordPress site running The Events Calendar versions 6.15.12, 6.15.13, 6.16.0, 6.16.1, or 6.16.2 is vulnerable. The vulnerability is unauthenticated, so any internet facing installation in this version range is exposed regardless of WordPress user configuration or role settings.
Version 6.16.3 is the patched release and is available from the WordPress plugin repository. The plugin was last updated on May 28, 2026. Notably, the WordPress.org changelog for 6.16.3 does not explicitly reference a security fix, listing functional bug fixes and language updates instead, which suggests the security patch was applied without public changelog notation.
Vendor Security History
The Events Calendar has a concerning recent history of SQL injection vulnerabilities. The following table summarizes the pattern:
| CVE | Type | Affected Versions | Severity | Status |
|---|---|---|---|---|
| CVE-2024-8275 | Unauthenticated SQL Injection | Up to 6.14.2 | High | Patched |
| CVE-2025-9807 | Time based SQL Injection | Up to 6.15.1 | High | Patched |
| CVE-2025-12197 | Blind SQL Injection | 6.15.1.1 through 6.15.9 | High | Patched |
| CVE-2025-30794 | Reflected XSS (Event Tickets) | Up to 5.20.0 | Medium | Patched |
| CVE-2026-49772 | Blind SQL Injection | 6.15.12 through 6.16.2 | 9.3 (Critical) | Patched in 6.16.3 |
Three SQL injection CVEs in under a year is a significant pattern. CVE-2025-12197 was explicitly caused by an incomplete fix for CVE-2025-9807, and the reemergence of blind SQL injection in CVE-2026-49772 raises questions about whether the vendor's remediation process is addressing root causes or treating symptoms.
StellarWP as a vendor has 122 published CVE records since 2019, with 10 CVEs having known public exploits. None have appeared in CISA's Known Exploited Vulnerabilities catalog.
Adding to the context, Liquid Web retired the StellarWP brand in May 2026, consolidating its product portfolio. The Events Calendar is one of four core products that will continue receiving support. However, a small number of older themes and tools under the former StellarWP umbrella will receive critical security patches only through April 2027, after which no further support will be provided. The organizational disruption associated with this transition may affect security engineering capacity.
References
- NVD: CVE-2026-49772
- Patchstack Advisory: WordPress The Events Calendar Plugin 6.15.12 to 6.16.2 SQL Injection
- Patchstack VDP: The Events Calendar SQL Injection
- The Events Calendar on WordPress.org
- ZeroPath: CVE-2025-9807 Events Calendar SQL Injection Summary
- ZeroPath: CVE-2025-12197 Events Calendar Blind SQL Injection Summary
- Wordfence: The Events Calendar Vulnerability Database
- Wordfence: How To Find SQL Injection Vulnerabilities in WordPress Plugins
- StellarWP Vulnerability Overview (RadicalNotion)
- The Repository: Liquid Web Retires StellarWP
- CISA Known Exploited Vulnerabilities Catalog
- VulnCheck: State of Exploitation 2026
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command
- PortSwigger: What is Blind SQL Injection?



