– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-2694:
The vulnerability is an improper authorization flaw in The Events Calendar WordPress plugin. It allows authenticated users with Contributor-level permissions or higher to modify or delete events, organizers, and venues via the REST API. This improper capability check leads to unauthorized data modification and loss.

Atomic Edge research identifies the root cause in the `can_edit` and `can_delete` functions within three REST API endpoint classes: `Single_Event`, `Single_Organizer`, and `Single_Venue`. In the vulnerable version, these functions performed generic capability checks using `delete_posts` and `edit_posts` without validating the specific post ID from the request. The functions were located in `/the-events-calendar/src/Tribe/REST/V1/Endpoints/Single_Event.php` (lines 498-504 and 563-568), `/the-events-calendar/src/Tribe/REST/V1/Endpoints/Single_Organizer.php` (lines 464-470 and 517-522), and `/the-events-calendar/src/Tribe/REST/V1/Endpoints/Single_Venue.php` (lines 529-535 and 583-588).

An attacker exploits this by sending authenticated REST API requests to update or trash specific posts. The attack vector targets the WordPress REST API endpoints for events (`/wp-json/tribe/events/v1/events/{ID}`), organizers (`/wp-json/tribe/events/v1/organizers/{ID}`), and venues (`/wp-json/tribe/events/v1/venues/{ID}`). A Contributor-level user sends PUT or DELETE requests to these endpoints with a target post ID they do not own. The vulnerable authorization logic incorrectly grants permission based on the generic `edit_posts` or `delete_posts` capability, which Contributors possess for their own posts, rather than the object-specific `edit_post` or `delete_post` check.

The patch modifies the `can_edit` and `can_delete` functions in all three endpoint classes. The functions now accept an optional `WP_REST_Request $request` parameter. The code extracts the `id` parameter from the request. If an ID is present, the function performs a specific capability check using `edit_post` or `delete_post` with that ID. If no ID is provided, the function falls back to the generic `edit_posts` or `delete_posts` check. This change ensures the authorization check validates the user’s permission for the specific post object being accessed, not just the post type in general.

Successful exploitation allows authenticated attackers with Contributor privileges to update or delete any event, organizer, or venue on the site. This leads to unauthorized data modification and data loss. Attackers can alter event details, remove content, or disrupt site operations. The vulnerability does not grant privilege escalation to administrative functions, but it enables horizontal privilege violation within the affected post types.