PatchSiren cyber security CVE debrief
CVE-2026-49772 Liquid Web / StellarWP CVE debrief
A critical vulnerability was discovered in The Events Calendar plugin, affecting versions from 6.15.12 through 6.16.2. This vulnerability, CVE-2026-49772, is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') issue, which allows for blind SQL injection attacks. The CVSS score for this vulnerability is 9.3, indicating a critical severity level.
- Vendor
- Liquid Web / StellarWP
- Product
- The Events Calendar
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of The Events Calendar plugin, particularly those using versions between 6.15.12 and 6.16.2, should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The vulnerability is caused by improper neutralization of special elements used in SQL commands, allowing attackers to inject malicious SQL code. This can lead to unauthorized access to sensitive data and potentially allow for blind SQL injection attacks.
Defensive priority
High
Recommended defensive actions
- Update The Events Calendar plugin to a version outside of the affected range (6.15.12 - 6.16.2) as soon as possible.
- Review and monitor database activity for suspicious queries.
Evidence notes
Evidence of this vulnerability was provided by Patchstack, as referenced in the CVE record.
Official resources
-
CVE-2026-49772 CVE record
CVE.org
-
CVE-2026-49772 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-49772 was published on 2026-06-16T10:16:27.620Z and has not been modified since.