Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
WordPress The Events Calendar plugin allows attackers to modify events
CVE-2026-2694
Summary
The Events Calendar plugin for WordPress has a security flaw that lets attackers with contributor access delete or change events. This could lead to loss of data or unauthorized changes to your calendar. Update the plugin to the latest version to fix the issue.
Original title
The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in a...
Original description
The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with Contributor-level access and above, to update or trash events, organizers and venues via REST API.
nvd CVSS3.1
5.4
Vulnerability type
CWE-285
Improper Authorization
- https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/...
- https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/...
- https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/...
- https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/...
- https://plugins.trac.wordpress.org/changeset/3468694/the-events-calendar
- https://www.wordfence.com/threat-intel/vulnerabilities/id/67351a37-a457-48d6-b40...
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026