CVE-2026-2694 - Vulnerability Details

- The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API

Description

The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with Contributor-level access and above, to update or trash events, organizers and venues via REST API.

Published: 2026-02-25

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in The Events Calendar plugin arises from an improper capability check within the can_edit and can_delete functions. Authenticated attackers possessing Contributor-level access or higher can use exposed REST API endpoints to update or trash events, organizers, and venues. This flaw effectively elevates the attacker’s privileges, allowing them to alter or delete content intended for higher‑privileged users. The weakness corresponds to CWE‑285, representing an authorization check failure that jeopardizes data integrity and availability.

Affected Systems

WordPress sites running the The Events Calendar plugin by StellarWP with any version up to and including 6.15.16 are impacted. All editions that expose the REST API endpoints for single event, organizer, and venue objects are included.

Risk and Exploitability

The CVSS v3 score of 5.4 indicates medium severity, while an EPSS score of less than 1% shows a very low likelihood of active exploitation at the time of analysis. The flaw is not listed in the CISA KEV catalog. Exploitation requires legitimate credentials with Contributor or higher rights and access to the site’s REST API, typically through an authenticated AJAX request. Although the attack vector is limited to authenticated users, the potential for data loss or alteration makes it a concern for sites with active event management workflows.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

stellarwp

The Events Calendar

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.15.16

No data.

Vendor Product Confidence Versions

Stellarwp

The Events Calendar

100%

Version	Status	Scheme	Platform
`[0,6.15.16]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the The Events Calendar plugin to version 6.15.17 or newer to apply the authorization fix.
Revoke the Contributor capability to edit or delete events, organizers, and venues by adjusting role permissions through a role‑management plugin or custom code.
Disable or restrict the REST API endpoints for events, organizers, and venues to privileged users only, for example by adding a security snippet that removes the endpoints from the public REST API when a Contributor‑level session is detected.

Generated by OpenCVE AI on April 15, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Event.php#L498
https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Event.php#L563
https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Venue.php#L529
https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Venue.php#L583
https://plugins.trac.wordpress.org/changeset/3468694/the-events-calendar
https://www.wordfence.com/threat-intel/vulnerabilities/id/67351a37-a457-48d6-b40a-95a7e3a0d746?source=cve

History

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Stellarwp Stellarwp the Events Calendar Wordpress Wordpress wordpress
Vendors & Products		Stellarwp Stellarwp the Events Calendar Wordpress Wordpress wordpress

Wed, 25 Feb 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with Contributor-level access and above, to update or trash events, organizers and venues via REST API.
Title		The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API
Weaknesses		CWE-285
References		https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Event.php#L498 https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Event.php#L563 https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Venue.php#L529 https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Venue.php#L583 https://plugins.trac.wordpress.org/changeset/3468694/the-events-calendar https://www.wordfence.com/threat-intel/vulnerabilities/id/67351a37-a457-48d6-b40a-95a7e3a0d746?source=cve
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Stellarwp The Events Calendar

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-25T21:25:02.211Z

Updated: 2026-04-08T16:58:09.763Z

Reserved: 2026-02-18T14:27:32.253Z

Link: CVE-2026-2694

Vulnrichment

Updated: 2026-02-25T21:40:30.612Z

NVD

Status : Deferred

Published: 2026-02-25T22:16:28.027

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2694

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses

CWE-285

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object