What versions of Spiffy Calendar have CVE-2022-46859?

All up to 4.9.1. Update to 4.9.2 or later.

How do I check if my site has Spiffy Calendar SQL injection?

WP admin > Plugins. Or WP-CLI: wp plugin list | grep spiffy.

Can CVE-2022-46859 lead to full site takeover?

Yes—DB dump to RCE via file writes or plugin uploads.

Spiffy Calendar SQL Injection Lets Hackers Hijack WordPress Databases

A straightforward SQL injection in Spiffy Calendar plugin opens doors for database dumps and site takeovers. Thousands of WordPress installs could be vulnerable—time to check yours.

theAIcatchup Apr 08, 2026 3 min read

Red alert icon over WordPress dashboard with Spiffy Calendar plugin highlighted

⚡ Key Takeaways

CVE-2022-46859 enables unauthenticated SQL injection in Spiffy Calendar up to v4.9.1, risking full database compromise. 𝕏
WordPress plugin ecosystem's lax auditing fuels repeat vulns like this; patch immediately or switch plugins. 𝕏
Thousands of sites may still be exposed—audit now, as botnets target WP SQLi aggressively. 𝕏

Published by

theAIcatchup

Threat intelligence. Zero noise.

#CVE-2022-46859 #SQL injection #Spiffy Calendar #WordPress Vulnerability

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by NVD Vulnerabilities

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

CVE-2022-46808: The SQL Injection Lurking in ARMember's Membership Plugin

Slimstat's SQL Injection Nightmare: CVE-2022-45373 Cracks Open Analytics Doors

CVE-2022-47428: The SQL Injection Lurking in Your WordPress Booking Calendar

CVE-2022-46818: SQL Injection Lets Attackers Raid WordPress Subscriber Lists

Stay in the loop