OFFSITE.DARK
← Signals

Jun 29, 2026

2 min

Sploitus

  • wordpress
  • sqli
  • cve-2026-49772
  • the-events-calendar

news

The Events Calendar Unauthenticated SQLi (CVE-2026-49772)

Broken REST validate_callback lets order reach ORDER BY — blind boolean/time extraction of wp_users hashes via tec/v1 API.

Summary

CVE-2026-49772 is a critical (CVSS 9.3) unauthenticated blind SQL injection in WordPress plugin The Events Calendar 6.15.12 – 6.16.2 (fixed 6.16.3). The experimental tec/v1 REST route passes unsanitized order into SQL ORDER BY because validate_callback returns a closure instead of validating input. joshuavanderpoll/CVE-2026-49772 demonstrates blind boolean/time extraction of wp_users hashes.

Key Findings

FindingDetail
CVECVE-2026-49772
EndpointGET /wp-json/tec/v1/events?orderby=event_date&order=
Injection classRead-only blind SQLi (boolean + time oracles)
Extractable datawp_users hashes, session tokens, application passwords, options
Fixed version6.16.3

Attack Chain

GET /wp-json/tec/v1/events?orderby=event_date&order=<injection>
        ↓
ORDER BY clause concatenation
        ↓
Boolean/time oracle extraction (--users, --recon, --query)

Impact

Full database read for unauthenticated attackers — credential material enables site takeover without write primitives.

Mitigation

  1. Update The Events Calendar to 6.16.3+.
  2. Block /wp-json/tec/v1/ at WAF until patched.
  3. Rotate passwords and application passwords if plugin was vulnerable and internet-exposed.

Related Signals

Sources

→ Source