HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11616Published Modified CNA Wordfence

CVE-2026-11616: Events Calendar for GeoDirectory <= 2.3.28 - Authenticated (Subscriber+) Privilege Escalation

The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) — with no allow-list — to the attacker-controlled $_POST['type'] and $_POST['postid'] values before forwarding them to update_ayi_data(), which calls update_user_meta($current_user->ID, $rsvp_args['type'], $posts). By passing type=wp_capabilities and postid=administrator, an attacker writes ['subscriber'=>true,'administrator'=>'administrator'] into their own wp_capabilities user meta; WP_User::get_role_caps() then treats the 'administrator' array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in the Events Calendar for GeoDirectory plugin for WordPress, affecting all versions up to and including 2.3.28. The flaw is reachable over the network by any authenticated user with at least a Subscriber-level account, with no further conditions required. Successful exploitation lets an attacker overwrite their own WordPress role metadata and immediately gain Administrator-level access to the WordPress site. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as the upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-11616 is available across every HarborGuard environment. The CVE is ingested from upstream feeds, including the Wordfence advisory, within minutes of publication and matched against customer images and pipelines, including custom-built WordPress images that bundle this plugin.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting it against each customer environment's compliance policy to reflect actual exposure. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization.

Available
Patch

Because no fix version has been published, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated version of the plugin is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable AJAX handler is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP or HTTPS.

  • AuthenticationRequired

    A low-privilege account at Subscriber level or above is sufficient; no elevated or administrative credentials are needed.

  • Victim interactionNot required

    The attacker sends a crafted POST request directly; no action from another user or administrator is needed.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker simply supplies controlled POST parameters with no race conditions or environmental factors to overcome.

Blast Radius

  • Attacker writes arbitrary WordPress user-meta values, specifically the wp_capabilities key, to promote their account to Administrator.
  • With Administrator access, the attacker can install or modify plugins and themes, execute arbitrary PHP code, and take full control of the WordPress application.
  • All content, configuration, stored user data, and credentials held in the WordPress database become readable and modifiable.
  • The attacker can create additional backdoor accounts or delete existing users, causing persistent disruption to the site and its users.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-11616 is active across all customer environments that include images bundling the Events Calendar for GeoDirectory plugin, matched within minutes of the advisory ingestion. Because no upstream fix exists at this time, HarborGuard monitors the Wordfence advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a remediated version is published. For customers with auto-remediation enabled, that rebuild will be paired with a regression run and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy rules that restrict WordPress AJAX endpoints to known authenticated session origins, egress filtering to limit post-compromise lateral movement, and disabling the plugin's RSVP AJAX handler via a feature flag or WAF rule if the RSVP functionality is not in active use. Given the CVSS 8.8 HIGH score and the trivial exploit path, prioritizing this finding in the triage queue is warranted for any environment where subscriber-level self-registration is enabled.

See how HarborGuard automates this
Affected packages
  • stiofansisland / Events Calendar for GeoDirectory
    ≤ 2.3.28
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References