Skip to main content
Mallory
Back to vulnerabilities
High

Privilege Escalation in The Events Calendar for GeoDirectory WordPress Plugin

IdentifiersCVE-2026-11616CWE-269· Improper Privilege Management

CVE-2026-11616 is a privilege escalation vulnerability in The Events Calendar for GeoDirectory plugin for WordPress affecting versions up to and including 2.3.28. The flaw is in the ajax_ayi_action() handler, which accepts attacker-controlled $_POST['type'] and $_POST['postid'] values and only applies strip_tags(esc_sql()) before passing them to update_ayi_data(). No allow-list or other restriction is enforced on the meta key supplied via type. update_ayi_data() subsequently calls update_user_meta($current_user->ID, $rsvp_args['type'], $posts), allowing a logged-in attacker to write arbitrary values into their own user meta under an attacker-chosen key. By supplying type=wp_capabilities and postid=administrator, the attacker can cause their wp_capabilities user meta to contain ['subscriber'=>true,'administrator'=>'administrator']. On the next request, WordPress role resolution via WP_User::get_role_caps() interprets the administrator array key as an active role, resulting in elevation of the attacker's account to Administrator.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker with Subscriber-level access or higher to escalate privileges to Administrator on the affected WordPress site. Administrator access typically enables full control of site configuration and content, user management, plugin and theme management, and may enable further code execution depending on site configuration and installed components.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict or disable access to the vulnerable AJAX functionality exposed by ajax_ayi_action(), especially for low-privileged users such as Subscribers. Review user accounts for unauthorized administrator role assignments and inspect wp_capabilities user meta for anomalous values. Reducing or eliminating Subscriber self-service access to the affected plugin functionality may lower exposure until the plugin is updated.

Remediation

Patch, then assume compromise.

Update The Events Calendar for GeoDirectory plugin to a version newer than 2.3.28. The vulnerable code path should be corrected so attacker-controlled input cannot be used as an arbitrary user meta key, particularly wp_capabilities. Proper remediation requires strict server-side allow-list validation for permitted values of type and safe handling of postid before calling update_user_meta().
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

6 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-11616
NVD
nvd.nist.gov/vuln/detail/CVE-2026-11616
MITRE CWE · CWE-269
Improper Privilege Management
plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/events-for-geodirectory/tags/2.3.28/includes/class-geodir-event-ayi.php
plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/events-for-geodirectory/tags/2.3.28/includes/class-geodir-event-ayi.php
plugins.trac.wordpress.org
plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3533585%40events-for-geodirectory&new=3533585%40events-for-geodirectory&sfp_email=&sfph_mail=
wordfence.com
wordfence.com/threat-intel/vulnerabilities/id/11ba187b-1fe4-4077-ad9d-a07660133e91?source=cve