CVE-2026-49772NVD

Vulnerability Summary

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection.

This issue affects The Events Calendar: from 6.15.12 through 6.16.2.

Severity Level

CRITICAL(9.3)

Published Date

Jun 16, 2026

Last Modified

Jun 16, 2026

Exploitation Status

????

EPSS Score (30-Day)

Data Pending

Root Weakness (CWE)

CWE-89: SQL Injection ↗

Improper neutralization of special elements used in an SQL command, allowing attackers to modify queries.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityNone

AvailabilityLow

External References

https://patchstack.com/database/wordpress/plugin/the-events-calendar/vulnerability/wordpress-the-events-calendar-plugin-6-15-12-6-16-2-sql-injection-vulnerability?_s_id=cve