WordPress Plugin Vulnerabilities

The Events Calendar < 6.15.17.1 - Author+ Arbitrary File Read

Description

The plugin is vulnerable to Path Traversal via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
the-events-calendar
Fixed in 6.15.17.1

References

CVE
CVE-2026-3585
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/92e404ab-fe2b-45b3-b8ff-672f7888b747

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
4768796f-c400-4c45-862b-d7c1b45084d0

Timeline

Publicly Published
2026-03-09 (about 2 months ago)
Added
2026-03-09 (about 2 months ago)
Last Updated
2026-03-09 (about 2 months ago)

Other

Published
Title
Published
2025-08-01
Title
Woffice Core < 5.4.27 - Authenticated (Contributor+) Arbitrary File Deletion
Published
2025-12-12
Title
PDF Generator Addon for Elementor Page Builder < 2.0.1 - Unauthenticated Path Traversal
Published
2012-07-10
Title
A Page Flip Book 2.3 - index.php pageflipbook_language Parameter Traversal Local File Inclusion
Published
2025-09-10
Title
User Meta – User Profile Builder and User management plugin <= 3.1.2 - Authenticated (Subscriber+) Arbitrary File Deletion
Published
2025-02-12
Title
Campress <= 1.35 - Unauthenticated Local File Inclusion