CVE-2026-11616

Vulnerability

The Events Calendar for GeoDirectory plugin for WordPress versions up to and including 2.3.28 is vulnerable to privilege escalation. The ajax_ayi_action() handler improperly sanitizes user-controlled input ($_POST['type'] and $_POST['postid']) before passing it to update_ayi_data(). This allows for arbitrary user meta data to be written.

Exploitation

An authenticated attacker with at least Subscriber-level access can exploit this vulnerability. The attacker needs to send a crafted POST request to the ajax_ayi_action() handler. By setting type to wp_capabilities and postid to administrator, the attacker can inject ['subscriber'=>true,'administrator'=>'administrator'] into their own wp_capabilities user meta.

Impact

Successful exploitation allows an attacker to elevate their privileges to Administrator. The WP_User::get_role_caps() function will interpret the administrator key in the wp_capabilities meta as an active role, granting the attacker full administrative control over the WordPress site.

Mitigation

Versions of the Events Calendar for GeoDirectory plugin up to and including 2.3.28 are affected. A patched version, 2.3.30, was released on 2026-06-04 [1]. Users should update to the latest version to remediate this vulnerability.