PT-2026-22024 · WordPress · The Events Calendar
Sdokus
·
Published
2026-02-25
·
Updated
2026-02-26
·
CVE-2026-2694
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
The Events Calendar plugin for WordPress versions prior to 6.15.16
Description
The Events Calendar plugin for WordPress is susceptible to unauthorized modification and potential loss of data. This is due to an insufficient capability check within the
can edit and can delete functions. Authenticated attackers possessing Contributor-level access or higher can leverage the REST API to modify or delete events, organizers, and venues. The affected API allows modification via the REST API. The vulnerable parameters include event data, organizer data, and venue data.Recommendations
Update The Events Calendar plugin to version 6.15.16 or later.
Fix
Improper Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Events Calendar