CVE-2026-11616 Overview
CVE-2026-11616 is a privilege escalation vulnerability in The Events Calendar for GeoDirectory plugin for WordPress, affecting all versions up to and including 2.3.28. The flaw resides in the ajax_ayi_action() handler, which fails to validate attacker-controlled $_POST parameters before passing them to update_user_meta(). An authenticated attacker with Subscriber-level access can manipulate the type and postid parameters to overwrite their own wp_capabilities user meta, granting themselves the Administrator role. This vulnerability is tracked under [CWE-269] (Improper Privilege Management).
Critical Impact
Authenticated users with Subscriber-level access can escalate to Administrator, gaining full control of the WordPress site, including content, plugins, users, and the underlying database.
Affected Products
- The Events Calendar for GeoDirectory plugin for WordPress, versions up to and including 2.3.28
- WordPress installations with the vulnerable plugin enabled
- Any user role at Subscriber level or above on affected sites
Discovery Timeline
- 2026-06-09 - CVE-2026-11616 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-11616
Vulnerability Analysis
The vulnerability resides in the ajax_ayi_action() AJAX handler located in class-geodir-event-ayi.php. The handler applies only strip_tags(esc_sql()) to the $_POST['type'] and $_POST['postid'] parameters. No allow-list validation restricts these values to expected RSVP-related keys.
The sanitized but unvalidated values are forwarded to update_ayi_data(), which executes update_user_meta($current_user->ID, $rsvp_args['type'], $posts). Because the meta key is fully attacker-controlled, an attacker can write to any user meta entry belonging to themselves, including the security-critical wp_capabilities key.
When the attacker submits type=wp_capabilities and postid=administrator, the plugin writes an array such as ['subscriber'=>true,'administrator'=>'administrator'] into the attacker's wp_capabilities meta. On the next request, WP_User::get_role_caps() enumerates this array and treats the administrator key as an active role.
Root Cause
The root cause is missing authorization and missing input allow-listing. The handler trusts user-supplied values for the meta key argument of update_user_meta(). SQL-focused sanitization functions like esc_sql() do not prevent logical abuse of the WordPress capability model.
Attack Vector
An attacker authenticates with any account at Subscriber level or above. The attacker then sends a crafted POST request to the ayi_action AJAX endpoint with type=wp_capabilities and postid=administrator. The plugin overwrites the user's wp_capabilities meta, and the next authenticated request grants administrative capabilities. No user interaction from a privileged victim is required.
For technical specifics, see the vulnerable handler at line 154 and the meta update logic at line 357.
Detection Methods for CVE-2026-11616
Indicators of Compromise
- POST requests to admin-ajax.php containing action=ayi_action with type=wp_capabilities in the request body
- Unexpected modifications to the wp_usermeta table where meta_key='wp_capabilities' for non-administrator accounts
- New or existing low-privilege users suddenly performing administrative actions such as plugin installation or user creation
- Subscriber-level accounts accessing /wp-admin/ pages reserved for administrators
Detection Strategies
- Inspect web server access logs for AJAX requests where type parameters reference WordPress core meta keys such as wp_capabilities, wp_user_level, or session_tokens
- Compare current role assignments in wp_usermeta against a known-good baseline to identify unauthorized role changes
- Alert on WordPress audit log events where a Subscriber-tier account transitions to Administrator outside of approved workflows
Monitoring Recommendations
- Enable verbose logging on admin-ajax.php and forward events to a centralized SIEM for correlation
- Monitor authentication events for newly elevated accounts performing privileged operations within minutes of role change
- Track plugin file integrity for class-geodir-event-ayi.php and related files to confirm patched versions are deployed
How to Mitigate CVE-2026-11616
Immediate Actions Required
- Update The Events Calendar for GeoDirectory plugin to a version above 2.3.28 that includes the upstream fix referenced in the WordPress change set 3533585
- Audit all WordPress user accounts and revoke unexpected Administrator privileges
- Review wp_usermeta entries for tampering in the wp_capabilities field across all users
- Rotate credentials and force password resets for any account suspected of compromise
Patch Information
The vendor addressed the vulnerability in a release following 2.3.28. Refer to the Wordfence Vulnerability Report for the fixed version and the WordPress change set for the upstream code fix. The patch introduces allow-list validation restricting the type parameter to expected RSVP values.
Workarounds
- Disable The Events Calendar for GeoDirectory plugin until the patched version is installed
- Restrict new user registration to trusted users only, reducing the attacker pool that can reach the vulnerable AJAX endpoint
- Deploy a Web Application Firewall (WAF) rule blocking POST requests to admin-ajax.php containing action=ayi_action together with type=wp_capabilities
- Remove Subscriber-level registration on production sites where it is not required
# Example WAF rule (ModSecurity) blocking exploitation attempts
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1026116160,msg:'CVE-2026-11616 GeoDirectory privilege escalation attempt'"
SecRule ARGS:action "@streq ayi_action" "chain"
SecRule ARGS:type "@rx (wp_capabilities|wp_user_level|session_tokens)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
