Modern Events Calendar Lite < 5.16.6 - Authenticated SQL Injection
Description
Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated SQL injection in Modern Events Calendar Lite <5.16.6 via unsanitized mec[post_id] parameter, exploitable by any authenticated user if the frontend submission form is publicly embedded.
Vulnerability
The Modern Events Calendar Lite WordPress plugin versions before 5.16.6 contain an authenticated SQL injection vulnerability in the mec_fes_form AJAX action. The mec[post_id] POST parameter is not sanitized before being used in SQL queries. By default, the action requires author+ privileges, but if the Frontend Event Submission form is embedded on a public page, any authenticated user (including subscribers) can trigger the vulnerability [1].
Exploitation
An attacker must be logged in as an authenticated user (author+ by default, or any role if the form is publicly embedded). The attacker sends a crafted POST request to the mec_fes_form AJAX endpoint with a malicious value in the mec[post_id] parameter containing SQL injection payloads. No additional user interaction is required beyond being authenticated [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries against the WordPress database. This can lead to data exfiltration (e.g., user credentials, posts, options), data modification, or deletion, potentially resulting in privilege escalation or full site compromise [1].
Mitigation
The vulnerability is fixed in version 5.16.6 of the plugin. Users should update to this version or later immediately. No workarounds are documented. The plugin is actively maintained, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/Modern Events Calendar Litedescription
- Range: <5.16.6
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1- wpscan.com/vulnerability/26819680-22a8-4348-b63d-dc52c0d50ed0mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.