Platform
wordpress
Component
the-events-calendar
Fixed in
6.15.18
CVE-2026-3585 is an Arbitrary File Access vulnerability discovered in The Events Calendar plugin for WordPress. This vulnerability allows authenticated attackers with Author-level access or higher to read arbitrary files on the server, potentially exposing sensitive information. The vulnerability affects versions from 0.0.0 up to and including 6.15.17, and a patch is available in version 6.15.17.1.
Successful exploitation of CVE-2026-3585 allows an authenticated attacker to bypass intended access controls and read any file accessible by the webserver process. This could include configuration files containing database credentials, private keys, or source code. The attacker's ability to read sensitive files depends on the webserver's permissions and file system structure. While requiring Author-level access limits the initial attack surface, compromised accounts with such privileges can be highly valuable to attackers. The potential for data exfiltration and subsequent compromise of the entire WordPress environment is significant.
CVE-2026-3585 was publicly disclosed on 2026-03-10. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that PoCs will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation once a PoC is available, and the widespread use of The Events Calendar plugin, it is considered a high-priority vulnerability.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3585 is to immediately upgrade The Events Calendar plugin to version 6.15.17.1 or later. If upgrading is not immediately feasible, consider restricting file system permissions to minimize the potential impact of a successful attack. Implement a Web Application Firewall (WAF) with rules to block requests targeting the 'ajaxcreateimport' endpoint with suspicious file paths. Regularly review WordPress user roles and permissions to ensure the principle of least privilege is enforced.
Update to version 6.15.17.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3585 is a vulnerability in The Events Calendar WordPress plugin allowing authenticated attackers to read arbitrary files on the server. It has a CVSS score of 7.5 (HIGH).
If you are using The Events Calendar plugin in WordPress versions 0.0.0 through 6.15.17, you are potentially affected by this vulnerability.
Upgrade The Events Calendar plugin to version 6.15.17.1 or later to resolve this vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability’s nature makes it likely that exploitation will occur once a PoC is available.
Refer to the official The Events Calendar website and WordPress security announcements for the latest information and advisory regarding CVE-2026-3585.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.