We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: The Events Calendar Plugin Vulnerability (CVE-2026-2694)

Nick Paliughi
On this page

Security Alert Summary

The Events Calendar plugin for WordPress contains an improper capability check in its can_edit and can_delete functions in versions up to and including 6.15.16. Authenticated users with Contributor-level access or higher may be able to update or trash events, organizers, and venues via the plugin’s REST API.

CVE Details

  • CVE ID: CVE-2026-2694
  • Affected component: The Events Calendar plugin for WordPress
  • Affected versions: All versions up to and including 6.15.16
  • Published: February 25, 2026 at 10:16:28 PM UTC
  • Last modified: February 25, 2026 at 10:16:28 PM UTC
  • CVSS v3.1 base score: 5.4
  • CVSS v3.1 severity: MEDIUM
  • CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
  • Authentication / privileges / user interaction: Privileges Required: LOW (the description specifies Contributor-level access and above); User Interaction: NONE
  • Primary impact: Integrity: LOW; Availability: LOW; Confidentiality: NONE
  • Weakness (CWE): CWE-285 (Improper Authorization)

Technical Details

The vulnerability is caused by an improper capability check in the plugin’s can_edit and can_delete functions. Because these checks do not correctly enforce capability requirements, authenticated users with Contributor-level access or higher can perform update or trash actions on events, organizers, and venues using the plugin’s REST API endpoints.

The issue specifically affects REST API operations that allow updating or trashing of single event and venue resources (see the plugin endpoint implementations referenced in the CVE). The weakness allows modification or deletion of those resources without the intended authorization restrictions.

Impact is limited to the ability to modify or remove event-related content (integrity and availability impacts). The CVE data does not indicate confidentiality loss or remote code execution.

How This Could Impact Your Website

Consider a small organization running The Events Calendar with multiple contributors and editors: a contributor (external contractor or volunteer) could use the REST API to update or trash events, venues, or organizers beyond their intended permissions. That might result in published events being altered, event dates or locations being changed, or events being moved to trash, which could confuse attendees and disrupt scheduling.

For example, an internal staff member creating event content could find published events missing or incorrectly modified by another authenticated contributor account. Restoring lost event data may require manual intervention and could cause missed registrations or attendance.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
  • Review and reduce unnecessary user roles and capabilities, especially for Contributor-level accounts.
  • Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual changes to events, venues, or organizers and for unexpected trashing of content.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: WP Social Meta Plugin Vulnerability (CVE-2026-2498)
Next Post
WordPress Security Bulletin: The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress Vulnerability (CVE-2026-2356)