The vulnerability is a path traversal flaw in the ajax_create_import function of The Events Calendar plugin. It allows an authenticated user with Author‑level or higher privileges to craft a request that reads the contents of any file on the server. This can expose sensitive configuration, credentials, or other confidential data and represents a significant compromise of data confidentiality.

The affected product is the WordPress plugin The Events Calendar. All releases up to and including version 6.15.17 are vulnerable. The flaw exists in the code handling the AJAX import feature that is used by site administrators and authors to import events from external sources.

The CVSS base score of 7.5 classifies the issue as high severity, indicating that once exploited, an attacker gains non‑privileged read access to arbitrary files. The EPSS score of less than 1% suggests that, as of the latest analysis, exploitation is unlikely to be widespread, and the flaw is not listed in the CISA KEV catalog. Nevertheless, because the flaw requires only an Author‑level account, which is common on many sites, the attack state is realistic for any site that allows authors to use the import feature. Successful exploitation would provide the attacker with data that could be used for further compromise or exploitation of other services running on the same server.