Plattform
wordpress
Komponente
the-events-calendar
Behoben in
6.15.18
CVE-2026-3585 is an Arbitrary File Access vulnerability discovered in The Events Calendar plugin for WordPress. This vulnerability allows authenticated attackers with Author-level access or higher to read arbitrary files on the server, potentially exposing sensitive information. The vulnerability affects versions from 0.0.0 up to and including 6.15.17, and a patch is available in version 6.15.17.1.
An attacker exploiting this vulnerability can leverage the 'ajaxcreateimport' function to traverse directories and access files outside of the intended scope. This could include configuration files, database backups, or other sensitive data stored on the server. The potential impact is significant, as an attacker could gain access to credentials, API keys, or proprietary information. While requiring authentication (Author role or higher), this vulnerability poses a risk to WordPress sites with multiple users and varying permission levels. The ability to read arbitrary files could also be a stepping stone to further exploitation, such as code execution if sensitive code is exposed.
This vulnerability was publicly disclosed on 2026-03-10. There are currently no known public proof-of-concept exploits available, but the ease of exploitation (requiring only Author-level access) suggests a potential for rapid exploitation if a PoC is released. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of path traversal vulnerabilities, it is reasonable to expect exploitation attempts if a public PoC emerges.
WordPress websites utilizing The Events Calendar plugin, particularly those with Author-level users or higher, are at risk. Shared hosting environments where users have limited control over server file permissions are especially vulnerable. Sites with outdated plugin versions and inadequate security practices are also at increased risk.
• wordpress / composer / npm: Use wp-cli plugin update to check the installed version of The Events Calendar.
wp plugin list --status=active | grep 'The Events Calendar'• generic web: Monitor web server access logs for requests to wp-content/plugins/the-events-calendar/ajaxcreateimport with unusual or potentially malicious file paths in the parameters.
grep 'ajax_create_import' /var/log/apache2/access.log• wordpress / composer / npm: Examine the the-events-calendar plugin files for any unauthorized modifications or backdoors.
find /var/www/html/wp-content/plugins/the-events-calendar -type f -mtime -7disclosure
Exploit-Status
EPSS
0.07% (22% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-3585 is to immediately upgrade The Events Calendar plugin to version 6.15.17.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting file access permissions on the server to limit the potential damage. While a direct WAF rule is difficult to implement for arbitrary file access, monitoring access logs for unusual file requests related to the 'ajaxcreateimport' endpoint can provide early detection. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for attempts to access files outside of the plugin's intended directory is recommended. After upgrading, confirm the fix by attempting to access a non-existent file through the 'ajaxcreateimport' endpoint; it should return an error.
Aktualisieren Sie auf Version 6.15.17.1 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-3585 is a vulnerability in The Events Calendar WordPress plugin allowing authenticated attackers to read arbitrary files on the server. It has a CVSS score of 7.5 (HIGH).
If you are using The Events Calendar plugin in WordPress versions 0.0.0 through 6.15.17, you are potentially affected by this vulnerability.
Upgrade The Events Calendar plugin to version 6.15.17.1 or later to resolve this vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability’s nature makes it likely that exploitation will occur once a PoC is available.
Refer to the official The Events Calendar website and WordPress security announcements for the latest information and advisory regarding CVE-2026-3585.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.