The Events Calendar Vulnerability Exposes 700K WordPress Sites to Arbitrary File Reads

If you use The Events Calendar on your WordPress site, check your version immediately. A high-severity path traversal vulnerability (CVE-2026-3585) affects all versions up to and including 6.15.17, allowing authenticated attackers to read arbitrary files on your server — including wp-config.php, which contains your database credentials and secret keys.

What Happened

The vulnerability, disclosed on March 10, 2026, sits in the ajax_create_import function of The Events Calendar plugin. Due to insufficient validation of file paths, an attacker with Author-level access or higher can exploit the import functionality to traverse directories and read any file on the server.

The Events Calendar is one of the most popular WordPress plugins for managing events, with over 700,000 active installations. It’s widely used by businesses, nonprofits, churches, schools, and community organizations — many of which grant Author-level access to multiple staff members or volunteers.

The vulnerability has been assigned a CVSS score of 7.5 (HIGH). While it requires authentication (not exploitable by anonymous visitors), the Author role is common enough that the attack surface is significant. The practical impact: an attacker who compromises or already has an Author account can extract database credentials, API keys, and other secrets stored in server files.

Why It Matters

This is exactly the kind of vulnerability that Patchstack’s 2026 security report warned about. The report found that 91% of WordPress vulnerabilities are in plugins, and Broken Access Control (which includes path traversal) accounts for 57% of all exploited flaws.

Reading wp-config.php is game over for most sites. With the database credentials, an attacker can directly access your MySQL database, create admin accounts, inject malware, or exfiltrate all user data. Even if the database isn’t externally accessible, the secret keys and salts in wp-config.php can be used to forge authentication cookies.

The 700,000 install base makes this a high-value target. Combined with the recent WordPress core security patches and the upcoming EU Cyber Resilience Act requirements, 2026 is testing every site owner’s security hygiene.

What You Should Do

Update immediately. Check your Events Calendar version in Plugins → Installed Plugins. If you’re on version 6.15.17 or earlier, update to the latest available version. Enable auto-updates for this plugin if you haven’t already.

Audit your user roles. The vulnerability requires Author-level access. Review your user list (Users → All Users) and demote any accounts that don’t genuinely need Author permissions. Consider switching infrequent contributors to the Contributor role instead.

Check for signs of exploitation. Review your server access logs for unusual requests to the plugin’s import endpoint. If you suspect compromise, rotate your database credentials and WordPress secret keys in wp-config.php immediately.

Enable two-factor authentication for all accounts with Author access or higher. This is a baseline security measure that would prevent most exploitation of this vulnerability even if the plugin isn’t yet updated.

Sources

• WordPress Security Bulletin: The Events Calendar Vulnerability (CVE-2026-3585) — Freshy Sites
• CVE-2026-3585 — The Events Calendar LFI — CleanTalk Research
• The Events Calendar Vulnerability History — Wordfence Intelligence