EUVD-2026-37057
GHSA-v796-wqfq-j4xh
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Plugin endpoint is internet-reachable with no auth or interaction (AV:N/AC:L/PR:N/UI:N); blind SQLi reads cross-table data (S:C, C:H) but the input implies no write/DoS primitive (I:N, A:L).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection.
This issue affects The Events Calendar: from 6.15.12 through 6.16.2.
AnalysisAI
Blind SQL injection in The Events Calendar WordPress plugin (versions 6.15.12 through 6.16.2) by Liquid Web / StellarWP allows remote attackers to inject malicious SQL via unsanitized input handled by the plugin. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) indicates a network-reachable, unauthenticated, low-complexity issue with a scope change and high confidentiality impact, putting it at 9.3 critical. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerable site must be running WordPress with The Events Calendar plugin installed and active at versions 6.15.12 through 6.16.2, with the vulnerable endpoint reachable by the attacker (default WordPress configuration exposes both /wp-admin/admin-ajax.php and the /wp-json REST API to unauthenticated clients). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed: the CVSS 3.1 base score of 9.3 with AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L paints this as critical and trivially reachable, and the scope change plus C:H reflects that a single SQL injection in a WordPress plugin can expose data well beyond the plugin's own tables (user password hashes, session tokens in wp_users / wp_usermeta, wp_options secrets). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker scans WordPress sites for The Events Calendar 6.15.12-6.16.2 by fingerprinting plugin assets, then sends crafted requests (likely time-based payloads via sqlmap) to the vulnerable AJAX or REST endpoint to blind-extract data such as administrator password hashes from wp_users and secret_keys from wp_options. With those hashes the attacker can attempt offline cracking or use leaked session/auth cookies to escalate to full WordPress admin and deploy a webshell. … |
| Remediation | Upgrade The Events Calendar to a version newer than 6.16.2 as published on wordpress.org or via the WordPress plugin updater - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/the-events-calendar/vulnerability/wordpress-the-events-calendar-plugin-6-15-12-6-16-2-sql-injection-vulnerability is the authoritative reference for the fixed release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all WordPress sites running The Events Calendar and identify those on versions 6.15.12-6.16.2; implement temporary WAF rules to detect SQL injection payloads. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today