The Events Calendar
Moderate fix1 remedy
cpe:2.3:a:tri:the_events_calendar:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 6.15.16
The Events Calendar Improper Authorization Vulnerability in WordPress REST API
Vulnerability
Patched
A vulnerability exists in The Events Calendar plugin for WordPress, allowing unauthorized data modification and potential data loss. This issue arises from an inadequate capability check on the 'can_edit' and 'can_delete' functions in versions up to and including 6.15.16. As a result, authenticated attackers with Contributor-level access or higher can manipulate or delete events, organizers, and venues through the REST API.
Impact
Exploitation of this vulnerability could lead to unauthorized updates or deletions of events, organizers, and venues via the WordPress REST API.
Reproduction
To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can send a request to the REST API to update or delete an event, organizer, or venue. The request will bypass the necessary authorization checks, allowing the user to make changes they should not be able to.
Remediation
Users are advised to update The Events Calendar plugin to version 6.15.16.1 or a newer patched version.
Added: Feb 26, 2026, 6:02 AM
Updated: Feb 26, 2026, 6:02 AM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
0.6exploitability
6.4remediation
7.7relevance
3.2threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.