cleantalk
Vulnerabilities and Security Researches

The Events Calendar, CVE-2026-3585

CVE, Research URL

CVE-2026-3585

Home page URL

Security reports for The Events Calendar

Application

The Events Calendar

Published on
Mar 10, 2026
Research Description
The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Affected versions
max 6.15.17.1.
Status
vulnerable
Previous vulnerability researches
Add infos to the events calendar (CVE-2024-11875) , Dec 13, 2024
Events Search For The Events Calendar (064f04a5db00947ea83e3596cf05df5e81a0431e) , Jun 07, 2024
Events Search For The Events Calendar (b62a26a6-cea0-46a7-b577-ba8d476ec1b5) , Jun 16, 2026
Events Search For The Events Calendar (499fc5b5931097622c99d4db054b7adfe26218e8) , Jun 16, 2026
The Events Calendar Countdown Addon (b62a26a6-cea0-46a7-b577-ba8d476ec1b5) , Jun 16, 2026
New vulnerability
wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin (CVE-2026-49080) , Jun 16, 2026
The Events Calendar (CVE-2026-49772) , Jun 16, 2026
WooCommerce Stripe Payment Gateway (CVE-2026-2381) , Jun 16, 2026
leenk.me (753d31765913b4d2dbb8af0a5512e5f1f8c70c61) , Jun 16, 2026
Social Hashtags (5abd4657-8a58-4d97-b8cb-b67235ab5b8a) , Jun 16, 2026