EUVD-2026-35375
GHSA-j857-hxgm-cvxf
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) - with no allow-list - to the attacker-controlled $_POST['type'] and $_POST['postid'] values before forwarding them to update_ayi_data(), which calls update_user_meta($current_user->ID, $rsvp_args['type'], $posts). By passing type=wp_capabilities and postid=administrator, an attacker writes ['subscriber'=>true,'administrator'=>'administrator'] into their own wp_capabilities user meta; WP_User::get_role_caps() then treats the 'administrator' array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator.
Articles & Coverage 2
AnalysisAI
Privilege escalation in the Events Calendar for GeoDirectory WordPress plugin (versions up to and including 2.3.28) allows authenticated Subscriber-level users to elevate to Administrator by abusing the ajax_ayi_action() AJAX handler, which writes attacker-controlled POST parameters directly into the wp_capabilities user meta key. The flaw stems from insufficient input filtering (strip_tags/esc_sql with no allow-list) on the type and postid fields before they reach update_user_meta(), enabling an attacker to set their own role to administrator. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) the Events Calendar for GeoDirectory plugin to be installed and active in a version at or below 2.3.28, (2) an authenticated session at Subscriber level or higher - consistent with the CVSS PR:L - which on WordPress sites that permit open user registration is effectively unauthenticated since anyone can self-register, (3) network access to wp-admin/admin-ajax.php to invoke the ajax_ayi_action() handler, and (4) the ability to set the POST parameters type=wp_capabilities and postid=administrator (or any equivalent role string). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction - consistent with the description's Subscriber-level prerequisite. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a Subscriber account on a target WordPress site running Events Calendar for GeoDirectory ≤ 2.3.28 (or compromises any existing low-privilege account), then issues a single authenticated POST to admin-ajax.php invoking the ayi action with type=wp_capabilities and postid=administrator. WordPress writes the crafted capabilities array into the attacker's user meta, and on the next request WP_User::get_role_caps() promotes the attacker to Administrator, allowing plugin/theme installation, arbitrary PHP execution via uploaded plugins, and full site takeover. |
| Remediation | Upstream fix available (commit/changeset 3533585 on plugins.trac.wordpress.org for events-for-geodirectory); a released patched version greater than 2.3.28 is not independently confirmed from the provided data, so administrators should update to the latest available release of Events Calendar for GeoDirectory beyond 2.3.28 as published on the WordPress.org plugin repository and verify the changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3533585%40events-for-geodirectory&new=3533585%40events-for-geodirectory is included. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress instances running Events Calendar for GeoDirectory plugin versions ≤2.3.28; audit user accounts for suspicious administrator role assignments and privilege escalations; document all Subscriber-level users with access to affected systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un
Share
External POC / Exploit Code
Leaving vuln.today