Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection.
This issue affects The Events Calendar: from 6.15.12 through 6.16.2.
Score 9.3 from GitHub Security Advisory (severity: CRITICAL) published 2026-06-16. a secondary CVSS source baseline 9.3; sources differ by 0.0.
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection.
This issue affects The Events Calendar: from 6.15.12 through 6.16.2.
June 16, 2026
June 16, 2026
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Working exploit code is in the public domain (1 GitHub PoC). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
CVE-2026-49772 — The Events Calendar (WordPress) unauthenticated blind SQLi PoC
Open source ↗Explore the affected products and dependency analysis for CVE-2026-49772
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.