CVE-2026-2694

Published: Feb 25, 2026Modified: Feb 27, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Exploitability: 2.8 / Impact: 2.5

Source: security@wordfence.com

Description

The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with Contributor-level access and above, to update or trash events, organizers and venues via REST API.

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (6)

https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Event.php#L498

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Event.php#L563

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Venue.php#L529

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.16/src/Tribe/REST/V1/Endpoints/Single_Venue.php#L583

Source: security@wordfence.com

https://plugins.trac.wordpress.org/changeset/3468694/the-events-calendar

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/67351a37-a457-48d6-b40a-95a7e3a0d746?source=cve

Source: security@wordfence.com

Timeline

No history available yet.