The Events Calendar
Moderate fix1 remedy
cpe:2.3:a:tri:the_events_calendar:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 6.15.13
The Events Calendar Missing Authorization Vulnerability in WordPress
Vulnerability
Patched
A vulnerability exists in The Events Calendar plugin for WordPress, allowing unauthorized access to data migration controls. This issue arises from a missing capability check in the 'start_migration', 'cancel_migration', and 'revert_migration' functions, affecting all versions through 6.15.13. As a result, authenticated attackers with subscriber-level access or higher can manipulate the Custom Tables V1 database migration, including the ability to completely remove custom database tables by reverting the migration.
Impact
Exploitation of this vulnerability could lead to unauthorized manipulation of database migration processes, allowing for the removal of custom database tables.
Reproduction
To reproduce this vulnerability, an authenticated user with subscriber-level access or higher can invoke the 'start_migration', 'cancel_migration', or 'revert_migration' functions. The absence of proper capability checks allows these actions to be performed without the necessary permissions, particularly the 'revert_migration' function, which can be used to drop custom database tables.
Remediation
Users are advised to update The Events Calendar plugin to version 6.15.13.1 or a newer patched version.
Added: Jan 20, 2026, 3:38 PM
Updated: Jan 20, 2026, 3:38 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
5.0exploitability
6.4remediation
7.7relevance
2.2threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.