← Signals
- wordpress
- sqli
- cve-2026-49772
- the-events-calendar
news
The Events Calendar Unauthenticated SQLi (CVE-2026-49772)
Broken REST validate_callback lets order reach ORDER BY — blind boolean/time extraction of wp_users hashes via tec/v1 API.
Summary
CVE-2026-49772 is a critical (CVSS 9.3) unauthenticated blind SQL injection in WordPress plugin The Events Calendar 6.15.12 – 6.16.2 (fixed 6.16.3). The experimental tec/v1 REST route passes unsanitized order into SQL ORDER BY because validate_callback returns a closure instead of validating input. joshuavanderpoll/CVE-2026-49772 demonstrates blind boolean/time extraction of wp_users hashes.
Key Findings
| Finding | Detail |
|---|---|
| CVE | CVE-2026-49772 |
| Endpoint | GET /wp-json/tec/v1/events?orderby=event_date&order= |
| Injection class | Read-only blind SQLi (boolean + time oracles) |
| Extractable data | wp_users hashes, session tokens, application passwords, options |
| Fixed version | 6.16.3 |
Attack Chain
GET /wp-json/tec/v1/events?orderby=event_date&order=<injection>
↓
ORDER BY clause concatenation
↓
Boolean/time oracle extraction (--users, --recon, --query)
Impact
Full database read for unauthenticated attackers — credential material enables site takeover without write primitives.
Mitigation
- Update The Events Calendar to 6.16.3+.
- Block
/wp-json/tec/v1/at WAF until patched. - Rotate passwords and application passwords if plugin was vulnerable and internet-exposed.