Security Advisory - Published 2026-06-09 - WordPress plugin

Events Calendar for GeoDirectory CVE-2026-11616: Privilege Escalation Self-Check

CVE-2026-11616 affects The Events Calendar for GeoDirectory versions up to and including 2.3.28. The reported issue is a privilege escalation path in the plugin's event interest flow. A low-privilege WordPress account may be able to affect role-related user metadata and become an administrator.

What this means: if your site allows registration, member accounts, directory submitters, or customer logins, patching the plugin is only the first step. You should also check whether any account gained administrator access while the vulnerable version was installed.

Who is affected

  • Plugin: The Events Calendar for GeoDirectory, slug events-for-geodirectory
  • CVE: CVE-2026-11616
  • Affected versions: 2.3.28 and earlier
  • Fixed line: 2.3.29 or newer; WordPress SVN currently lists 2.3.30 as the stable tag
  • Attack surface: authenticated users, including Subscriber-level accounts
  • Impact: account privilege escalation and possible WordPress admin takeover

10-minute self-check

Check the installed plugin version

wp plugin get events-for-geodirectory --field=version
wp plugin list | grep events-for-geodirectory

Version 2.3.28 or earlier should be treated as exposed. Update to 2.3.29 or newer. If you cannot update immediately, disable the plugin until you can review the site.

Check whether low-privilege accounts can log in

  • Public registration is enabled.
  • Directory submitters, event organizers, customers, or members have WordPress accounts.
  • Subscriber, customer, contributor, or custom low-privilege roles exist on the site.

A site with no public accounts still needs the update. A site with public registration needs account review after the update.

Review administrator accounts

wp user list --role=administrator --fields=ID,user_login,user_email,user_registered
wp user list --orderby=registered --order=desc --fields=ID,user_login,user_email,roles,user_registered | head -40

Look for new administrators, old subscriber accounts that now have admin access, unfamiliar email domains, and accounts created shortly before suspicious admin activity.

Review role metadata changes

This check is defensive. It looks for accounts whose role metadata changed during the exposure window. Use your own database prefix if it is not wp_.

SELECT user_id, meta_key
FROM wp_usermeta
WHERE meta_key LIKE '%capabilities%';

If you find unexpected administrator capability records, do not delete evidence first. Export the affected rows, preserve logs, then remove the extra role from the account through WordPress admin or WP-CLI.

Review AJAX and login logs

Search for traffic around WordPress AJAX endpoints, event interest actions, and admin logins during the same period. Do not replay suspicious requests.

grep -R "admin-ajax.php\\|geodir\\|ayi\\|wp-login.php" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null | tail -200

Safe fix path

  1. Update the plugin. Move to 2.3.29 or newer from WordPress.org or a trusted update channel.
  2. Review administrator users. Remove any account or role change you cannot explain.
  3. Reset active sessions. Force logout for users after removing unexpected privileges.
  4. Rotate administrator passwords. Do this after role cleanup, not before.
  5. Check recent site changes. Review new plugins, theme edits, payment settings, redirects, and injected scripts.
  6. Preserve evidence. Keep web logs and database exports if compromise is suspected.

Signs of compromise

  • A subscriber, customer, or event submitter account now appears as Administrator.
  • Unknown administrators were created after public registration activity.
  • Admin logins appear soon after event interest or directory account activity.
  • Plugins, themes, redirects, or checkout/payment settings changed without a known admin doing it.
  • Security plugins report role changes or suspicious admin session activity.

When to request repair help

Ask for repair help if the site had public registration, you were running 2.3.28 or earlier, or you found any unexplained administrator account. Start from Ping7 CVE repair and include the domain, plugin version, public registration status, first suspicious timestamp, and whether logs are still available. You can also review the sample CVE repair report before sending details.

References