Description
The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) — with no allow-list — to the attacker-controlled $_POST['type'] and $_POST['postid'] values before forwarding them to update_ayi_data(), which calls update_user_meta($current_user->ID, $rsvp_args['type'], $posts). By passing type=wp_capabilities and postid=administrator, an attacker writes ['subscriber'=>true,'administrator'=>'administrator'] into their own wp_capabilities user meta; WP_User::get_role_caps() then treats the 'administrator' array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator.
Published: 2026-06-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Events Calendar for GeoDirectory plugin has a privilege escalation flaw in its AJAX handler. The handler only sanitizes incoming type and postid values with strip_tags(esc_sql()), without an allow‑list, before passing them to update_ayi_data(). An authenticated user can send type=wp_capabilities and postid=administrator, causing the plugin to write a wp_capabilities entry that grants administrator rights to the user. This lets any subscriber‑level or higher user elevate themselves to administrator.

Affected Systems

Affected is the WordPress plugin Events Calendar for GeoDirectory by stiofansisland, versions 2.3.28 and earlier. No other vendors or product versions are mentioned.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Exploitation requires a logged‑in account with Subscriber privileges or higher, and can be performed by sending a crafted AJAX request that updates the user meta. The lack of an allow‑list and reliance on user‑supplied data mean attackers can easily acquire full administrative control.

Generated by OpenCVE AI on June 9, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 2.3.29 or newer to remove the flaw.
  • If an immediate upgrade is not possible, restrict the AJAX endpoint so that only administrators can invoke it or disable the endpoint for non‑administrator roles.
  • Manually audit user accounts for unintended administrator capability entries in wp_capabilities and revoke any that are inappropriate.

Generated by OpenCVE AI on June 9, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Stiofansisland
Stiofansisland events Calendar For Geodirectory
Wordpress
Wordpress wordpress
Vendors & Products Stiofansisland
Stiofansisland events Calendar For Geodirectory
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) — with no allow-list — to the attacker-controlled $_POST['type'] and $_POST['postid'] values before forwarding them to update_ayi_data(), which calls update_user_meta($current_user->ID, $rsvp_args['type'], $posts). By passing type=wp_capabilities and postid=administrator, an attacker writes ['subscriber'=>true,'administrator'=>'administrator'] into their own wp_capabilities user meta; WP_User::get_role_caps() then treats the 'administrator' array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator.
Title Events Calendar for GeoDirectory <= 2.3.28 - Authenticated (Subscriber+) Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Stiofansisland Events Calendar For Geodirectory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T13:32:19.796Z

Reserved: 2026-06-08T19:02:08.537Z

Link: CVE-2026-11616

cve-icon Vulnrichment

Updated: 2026-06-09T13:32:15.552Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T09:16:28.620

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-11616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T09:57:01Z

Weaknesses