{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2694", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-18T14:27:32.253Z", "datePublished": "2026-02-25T21:25:02.211Z", "dateUpdated": "2026-04-08T16:58:09.763Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:09.763Z"}, "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.15.16", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with Contributor-level access and above, to update or trash events, organizers and venues via REST API."}], "title": "The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/67351a37-a457-48d6-b40a-95a7e3a0d746?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Event.php#L563"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Event.php#L498"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Venue.php#L583"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Venue.php#L529"}, {"url": "https://plugins.trac.wordpress.org/changeset/3468694/the-events-calendar"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "timeline": [{"time": "2026-02-18T14:43:58.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-25T08:50:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T21:40:14.401017Z", "id": "CVE-2026-2694", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:40:41.317Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2694", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T21:40:14.401017Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:40:30.612Z"}}], "cna": {"title": "The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API", "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.15.16"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T14:43:58.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-25T08:50:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/67351a37-a457-48d6-b40a-95a7e3a0d746?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Event.php#L563"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Event.php#L498"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Venue.php#L583"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Venue.php#L529"}, {"url": "https://plugins.trac.wordpress.org/changeset/3468694/the-events-calendar"}], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with Contributor-level access and above, to update or trash events, organizers and venues via REST API."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:09.763Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2694", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:58:09.763Z", "dateReserved": "2026-02-18T14:27:32.253Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-25T21:25:02.211Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with Contributor-level access and above, to update or trash events, organizers and venues via REST API."}, {"lang": "es", "value": "El plugin The Events Calendar para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos y a la p\u00e9rdida de datos debido a una verificaci\u00f3n de capacidad inadecuada en la funci\u00f3n 'can_edit' y 'can_delete' en todas las versiones hasta la 6.15.16, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Colaborador y superior, actualizar o enviar a la papelera eventos, organizadores y ubicaciones a trav\u00e9s de la API REST."}], "id": "CVE-2026-2694", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-25T22:16:28.027", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Event.php#L498"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Event.php#L563"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Venue.php#L529"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Venue.php#L583"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3468694/the-events-calendar"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/67351a37-a457-48d6-b40a-95a7e3a0d746?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.15.16]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "The Events Calendar", "source": "cna", "vendor": "stellarwp"}, "product": "the_events_calendar", "vendor": "stellarwp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:03:37.087507+00:00", "value": {"mitigation_remediation": ["Upgrade the The Events Calendar plugin to version 6.15.17 or newer to apply the authorization fix.", "Revoke the Contributor capability to edit or delete events, organizers, and venues by adjusting role permissions through a role\u2011management plugin or custom code.", "Disable or restrict the REST API endpoints for events, organizers, and venues to privileged users only, for example by adding a security snippet that removes the endpoints from the public REST API when a Contributor\u2011level session is detected."], "summary": {"action": "Patch Now", "impact": "Unauthorized modification of event, organizer, and venue data via REST API"}, "threat_synthesis": {"affected_systems": "WordPress sites running the The Events Calendar plugin by StellarWP with any version up to and including 6.15.16 are impacted. All editions that expose the REST API endpoints for single event, organizer, and venue objects are included.", "description_and_impact": "The vulnerability in The Events Calendar plugin arises from an improper capability check within the can_edit and can_delete functions. Authenticated attackers possessing Contributor-level access or higher can use exposed REST API endpoints to update or trash events, organizers, and venues. This flaw effectively elevates the attacker\u2019s privileges, allowing them to alter or delete content intended for higher\u2011privileged users. The weakness corresponds to CWE\u2011285, representing an authorization check failure that jeopardizes data integrity and availability.", "risk_and_exploitability": "The CVSS v3 score of 5.4 indicates medium severity, while an EPSS score of less than 1% shows a very low likelihood of active exploitation at the time of analysis. The flaw is not listed in the CISA KEV catalog. Exploitation requires legitimate credentials with Contributor or higher rights and access to the site\u2019s REST API, typically through an authenticated AJAX request. Although the attack vector is limited to authenticated users, the potential for data loss or alteration makes it a concern for sites with active event management workflows."}}}}, "created": "2026-02-26T13:10:54.927358+00:00", "updated": "2026-04-15T18:15:10.814813+00:00", "vendors": ["stellarwp", "stellarwp$PRODUCT$the_events_calendar", "wordpress", "wordpress$PRODUCT$wordpress"]}