PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11616 stiofansisland CVE debrief

The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) — with no allow-list — to the attacker-controlled $_POST['type'] and $_POST['postid'] values before forwarding them to update_ayi_data(), which calls update_user_meta($current_user->ID, $rsvp_args['type'], $posts). By passing type=wp_capabilities and postid=administrator, an attacker writes ['subscriber'=>true,'administrator'=>'administrator'] into their own wp_capabilities user meta; WP_User::get_role_caps() then treats the 'administrator' array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator.

Vendor
stiofansisland
Product
Events Calendar for GeoDirectory
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-09
Advisory published
2026-06-09
Advisory updated
2026-06-09

Who should care

Authenticated attackers with Subscriber-level access and above who use the Events Calendar for GeoDirectory plugin for WordPress, as well as administrators of WordPress sites using this plugin.

Technical summary

The vulnerability exists in the ajax_ayi_action() handler of the Events Calendar for GeoDirectory plugin. The handler does not properly sanitize the attacker-controlled $_POST['type'] and $_POST['postid'] values, allowing an attacker to manipulate user meta and escalate their privileges.

Defensive priority

High

Recommended defensive actions

  • Update the Events Calendar for GeoDirectory plugin to a version newer than 2.3.28.
  • Restrict access to the plugin's functionality to prevent unauthorized users from exploiting the vulnerability.
  • Monitor user accounts and privilege levels for any suspicious activity.

Evidence notes

The vulnerability was reported by [email protected] and is tracked in the CVE-2026-11616 record on CVE.org and the NVD detail page.

Official resources

The CVE-2026-11616 vulnerability was published on 2026-06-09T09:16:28.620Z and modified on 2026-06-09T13:33:34.393Z.