CVE-2026-11616
Deferred Deferred - Pending Action

Privilege Escalation in The Events Calendar for GeoDirectory

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Wordfence

Description
The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) β€” with no allow-list β€” to the attacker-controlled $_POST['type'] and $_POST['postid'] values before forwarding them to update_ayi_data(), which calls update_user_meta($current_user->ID, $rsvp_args['type'], $posts). By passing type=wp_capabilities and postid=administrator, an attacker writes ['subscriber'=>true,'administrator'=>'administrator'] into their own wp_capabilities user meta; WP_User::get_role_caps() then treats the 'administrator' array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-29
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-11616
EUVD
EUVD-2026-35375

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
the_events_calendar geodirectory_plugin to 2.3.28 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Events Calendar for GeoDirectory plugin for WordPress has a privilege escalation vulnerability in versions up to and including 2.3.28. This occurs because the ajax_ayi_action() handler inadequately sanitizes attacker-controlled POST parameters 'type' and 'postid' by only applying strip_tags(esc_sql()) without an allow-list. These parameters are then used in update_user_meta() to modify user capabilities.

By passing 'type=wp_capabilities' and 'postid=administrator', an attacker can write administrator-level capabilities into their own user meta data. As a result, WordPress treats the attacker as having an administrator role on their next request, allowing a user with Subscriber-level access or higher to escalate their privileges to Administrator.

Impact Analysis

This vulnerability allows an authenticated user with Subscriber-level access or above to escalate their privileges to Administrator. This means an attacker can gain full control over the affected WordPress site.

  • Unauthorized access to administrative functions.
  • Potential to modify site content, settings, and user data.
  • Ability to install malicious plugins or themes.
  • Compromise of site integrity, confidentiality, and availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11616. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart