HIGH 8.8

CVE-2026-11616: Events Calendar for GeoDirectory Privilege Escalation Vulnerability

The Events Calendar for GeoDirectory WordPress plugin contains a privilege escalation flaw that allows authenticated users with Subscriber-level permissions to become Administrator. An attacker can manipulate input fields in a specific AJAX handler to inject WordPress capability data directly into their user profile, granting them full admin rights. This affects versions up to 2.3.28 and requires only valid WordPress account credentials to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-269
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) — with no allow-list — to the attacker-controlled $_POST['type'] and $_POST['postid'] values before forwarding them to update_ayi_data(), which calls update_user_meta($current_user->ID, $rsvp_args['type'], $posts). By passing type=wp_capabilities and postid=administrator, an attacker writes ['subscriber'=>true,'administrator'=>'administrator'] into their own wp_capabilities user meta; WP_User::get_role_caps() then treats the 'administrator' array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11616 stems from insufficient input validation in the ajax_ayi_action() handler within the Events Calendar for GeoDirectory plugin. The function applies only strip_tags() and esc_sql() without an allowlist to the $_POST['type'] and $_POST['postid'] parameters before passing them to update_ayi_data(). This function subsequently calls update_user_meta($current_user->ID, $rsvp_args['type'], $posts), which writes arbitrary user metadata. By setting type=wp_capabilities and postid=administrator, an attacker crafts a payload that inserts ['subscriber'=>true,'administrator'=>'administrator'] into their own wp_capabilities meta key. On the next request, WordPress's WP_User::get_role_caps() function interprets the 'administrator' array key as an active role, effectively promoting the attacker to Administrator-level access. The vulnerability is classified under CWE-269 (Improper Access Control).

Business impact

This vulnerability poses a severe risk to WordPress sites using the Events Calendar for GeoDirectory plugin. An attacker with minimal access—even a standard Subscriber account—can escalate to full administrative control, enabling them to modify site content, install malicious plugins, extract sensitive data, create backdoor accounts, or take the site offline. Organizations running this plugin should treat this as a critical operational security issue, as the barrier to exploitation is low and the impact is complete system compromise.

Affected systems

The Events Calendar for GeoDirectory plugin for WordPress, versions up to and including 2.3.28, is affected. WordPress installations with this plugin installed and active are at risk if any user account exists with Subscriber-level permissions or higher. Multisite WordPress instances amplify the risk, as a single compromised low-privilege account could cascade across multiple sites sharing the same plugin codebase.

Exploitability

This vulnerability is highly exploitable. It requires only network access and valid WordPress credentials at the Subscriber level or above—a low bar for many sites that allow public user registration. No user interaction is needed; the attack occurs via a direct AJAX call that the attacker can craft programmatically. The attack complexity is low, making it feasible for attackers with basic web security knowledge to automate exploitation at scale.

Remediation

Organizations should immediately update the Events Calendar for GeoDirectory plugin to a patched version released after 2.3.28. Verify the latest available version against the official WordPress plugin repository or the vendor's advisory. If an immediate patch is unavailable, consider disabling the plugin until a fix is released, or restrict plugin functionality through security policies while monitoring for suspicious activity.

Patch guidance

Check the official WordPress plugin repository or the vendor's security advisory for version 2.3.29 or later, which should include validation improvements to the ajax_ayi_action() handler. Apply the update in a staging environment first to verify compatibility with your site's other plugins and customizations. Verify against the vendor advisory that the patch specifically addresses input validation for the type and postid parameters.

Detection guidance

Monitor WordPress audit logs and user meta changes for unexpected wp_capabilities entries in user profiles, particularly for accounts that should not have Administrator roles. Watch for AJAX requests to the ajax_ayi_action() handler with suspicious type or postid values, especially those containing 'wp_capabilities' or 'administrator'. Examine user role changes that occur without corresponding admin actions in the WordPress dashboard. Use WordPress security scanning tools to identify installations of the vulnerable plugin version.

Why prioritize this

This vulnerability merits immediate attention due to its high CVSS score (8.8), low attack complexity, low privilege requirements, and severe impact. Any Subscriber-level account can become Administrator, making it critical for organizations with public user registration or multiple user tiers. The fact that this is not yet on the CISA KEV list does not reduce urgency; exploitation is straightforward and the impact is complete system compromise.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects: Network-based attack vector (no physical access needed), Low attack complexity (straightforward input manipulation), Low privilege requirement (Subscriber level suffices), No user interaction required, and severe impact across Confidentiality, Integrity, and Availability. This combination of accessibility and severity places it in the highest practical risk tier for WordPress environments.

Frequently asked questions

Do I need Administrator access to exploit this vulnerability?

No. The vulnerability is exploitable by any authenticated user with Subscriber-level permissions or above. This makes it particularly dangerous on sites that allow public registration or have multiple user accounts with limited privileges.

What is the difference between esc_sql() and proper input validation in this context?

esc_sql() is a database escaping function designed to prevent SQL injection, not to whitelist acceptable values. In this case, the plugin failed to validate that the 'type' parameter should only accept specific, safe user meta keys (like RSVP-related fields) and completely omitted an allowlist approach, allowing arbitrary meta keys like 'wp_capabilities' to be written.

If this is not on the CISA KEV list, should I still prioritize it?

Yes. The KEV catalog tracks vulnerabilities with confirmed exploitation in the wild; the absence of a KEV entry does not indicate lower risk or slower patching timelines. Given the ease of exploitation and severe impact, this should be treated as urgent regardless of KEV status.

Can I prevent exploitation without patching?

Partially. You can restrict user registration, disable the plugin, or use Web Application Firewalls to block requests to the vulnerable AJAX handler. However, these are temporary mitigations. Patching is the only reliable long-term solution.

This intelligence is provided for informational purposes. SEC.co makes no warranty regarding the accuracy or completeness of this analysis. Verify all patch version numbers and remediation steps against the official vendor advisory before implementing. Conduct thorough testing in non-production environments before deploying patches to production systems. This explainer does not constitute legal, compliance, or comprehensive security advice; consult with your security team and compliance officer for guidance specific to your organization. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).