Research · 11 min read

The Events Calendar Path Traversal: 6 Million Sites at Risk

By WP Vanguard Team

The Events Calendar Path Traversal: 6 Million Sites at Risk

A path traversal vulnerability in The Events Calendar -- one of the most widely installed WordPress plugins on the planet -- was publicly disclosed this week. There is no patch. Over 6 million WordPress sites are currently running a version of the plugin that allows authenticated attackers to read arbitrary files on the server.

CVE-2026-3585 is rated CVSS 7.5 HIGH. Here is everything you need to know: what it does, how it works, who is at risk, what files attackers target, and what you can do right now while waiting for a fix.


What Is The Events Calendar?

Before getting into the vulnerability, it helps to understand the scale. The Events Calendar is developed by The Events Calendar (formerly Modern Tribe) and has been active since 2009. It is free, available on WordPress.org, and has consistently ranked among the top 20 most-installed plugins in the entire WordPress ecosystem.

Six million active installations is not an estimate -- it is a floor. WordPress.org counts only direct .org installations. The plugin is also distributed via the developer's own website and bundled by themes, so the real number of sites running it is likely higher.

That installation count is why this disclosure matters beyond its CVSS score. A 7.5 rating is high severity, but not the highest. The impact here is multiplied by the sheer number of sites exposed.


The Vulnerability: Path Traversal in ajax_create_import

The flaw exists in a function called ajax_create_import. This function is part of the plugin's event import system, which allows site owners to import events from external files in various formats.

How Path Traversal Works

A path traversal vulnerability -- also called a directory traversal vulnerability -- occurs when user-supplied input is used to construct a file path and the application fails to properly sanitize or validate that input.

In a correctly implemented application, when a user requests a file, the application ensures that file path stays within the expected directory. In a vulnerable application, an attacker can supply a path like:

../../../../wp-config.php

The ../ sequences navigate up the directory tree. If the application passes this input to a file-reading function without stripping or blocking directory traversal sequences, the server reads wp-config.php -- or any other file the web server process has permission to read.

The Specific Flaw

In ajax_create_import, the plugin accepts user-supplied input as part of a file import path. The validation logic is insufficient to block traversal sequences. An authenticated user with Author-level access can supply a crafted path that causes the server to read and return the contents of files outside the intended import directory.

The vulnerability requires authentication at Author level or above. This is not zero-click. But it is a significantly lower bar than it might appear in practice.


Who Is Actually at Risk

The authentication requirement creates a false sense of security for many site administrators. "My site requires login, so outside attackers cannot trigger this" -- that is true for fully private sites. It is not true for the majority of sites running The Events Calendar.

Consider the typical deployment contexts:

Community and event sites often allow user registration so attendees can RSVP, manage their own event submissions, or access member content. Any registered user who has been granted Author access -- even a trusted volunteer -- represents a potential exploitation vector if their account is compromised.

Multi-author blogs and publications routinely have 5-50 contributor accounts at Author level or above. A phishing attack targeting any one of those accounts gives an external attacker the access needed to exploit this vulnerability.

Membership sites with content submission features frequently assign Author or Contributor roles to members as part of normal site operation.

Sites that previously had contributors may still have inactive Author accounts that were never deactivated. Those accounts are valid authentication credentials for this exploit.

The practical question is not "does my site require login" but rather "do I have any Author-level accounts I cannot fully vouch for." For most sites running The Events Calendar, the honest answer is yes.


What Attackers Can Read

Once an attacker has a valid Author-level session, the exploitation path is straightforward: craft a file import request with a traversal payload targeting sensitive files on the server.

wp-config.php -- The Primary Target

wp-config.php is almost always the first file targeted in path traversal attacks against WordPress. It contains:

A single successful read of wp-config.php can give an attacker everything they need to compromise the entire WordPress installation, even without exploiting any additional vulnerabilities.

Other High-Value Targets

Depending on the server configuration, attackers may also target:

Escalation to Remote Code Execution

Path traversal vulnerabilities are sometimes dismissively characterized as "read-only" -- as if being able to read arbitrary files is somehow limited. In practice, file-read capabilities often chain into full server compromise.

The most direct escalation path: an attacker reads wp-config.php, extracts database credentials, connects to the database (directly or through a separate vulnerability), and inserts a PHP webshell into the database that gets executed when the site renders. This requires database network access, which is not always available, but the credential exposure from wp-config.php still enables a wide range of follow-on attacks.

A more reliable escalation path involves chaining the file-read with a file-upload capability. The attacker uploads a PHP file through The Events Calendar's import functionality or any other file upload vector on the site, then uses the path traversal to read the upload's location and verify execution. This is not always possible but it is a well-understood attack pattern.


Current Patch Status

As of March 19, 2026, there is no patch available for CVE-2026-3585.

The Events Calendar development team has been notified through responsible disclosure. The timeline from notification to patch varies significantly -- for actively exploited vulnerabilities, developers often prioritize fast turnaround. For high-severity flaws with no confirmed in-the-wild exploitation, the timeline is less predictable.

Monitor the official Events Calendar changelog at eventschangendar.io and the plugin's WordPress.org page for a fix release. Security advisories will also appear on Patchstack and Wordfence when a patch ships.


What You Can Do Right Now

There is no way to patch a vulnerability that does not yet have a patch. But there are meaningful steps to reduce your exposure.

Audit Your Author-Level Accounts

This is the highest-leverage action available right now. The vulnerability requires authentication, so reducing the number of valid Author-level credentials limits who can trigger it.

Go to Users > All Users in your WordPress admin and filter by Role > Author. For each account:

Remove or deactivate any accounts that are not actively needed. Downgrade roles where full Author access is not required. Reset passwords for any accounts where you have doubt about security.

Enable Two-Factor Authentication for Authors

If you cannot remove Author accounts, adding two-factor authentication (2FA) significantly raises the bar for account compromise. Even if an attacker phishes a contributor's password, 2FA prevents them from logging in. Plugins like WP 2FA or two-factor authentication features in security suites can apply this site-wide.

Restrict wp-config.php Access at the Server Level

You can add a layer of protection by preventing web server access to wp-config.php at the server configuration level, separate from WordPress's own access controls. In Apache, adding the following to your .htaccess file prevents direct web requests to the file:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

Note: this does not protect against server-side file reads triggered by PHP code. A path traversal exploit in PHP code can bypass .htaccess restrictions because it is a server-side read, not a web request. But defense in depth is still valuable -- this prevents opportunistic direct-URL access.

Monitor for Suspicious File Access

If your hosting environment supports PHP error logging or web server access logging, watch for requests to AJAX endpoints that include .. sequences in parameters. Many WAFs and security plugins can flag or block path traversal patterns in request parameters.

Consider Temporarily Disabling the Import Feature

If your site does not actively use The Events Calendar's import functionality, you may be able to reduce the attack surface by disabling or restricting access to the import endpoints through your firewall or WAF rules. This is a partial mitigation -- the vulnerability exists in the codebase regardless -- but limiting who can reach the vulnerable function narrows the attack surface.


How to Tell If You Have Been Compromised

If you are running The Events Calendar 6.15.17 or earlier and have Author-level accounts you cannot fully account for, it is worth checking for signs of compromise even before a patch is available.

Look for:

If you find evidence of compromise, run a full security scan to assess the damage and determine next steps.


The Broader Pattern: High-Popularity Plugins Are High-Value Targets

CVE-2026-3585 is not unique in the history of WordPress security. Large, widely-deployed plugins attract more researcher attention and more attacker attention than obscure plugins precisely because of their scale. Finding a vulnerability in a plugin with 6 million installations is exponentially more valuable to an attacker than finding the same vulnerability in a plugin with 6,000 installations.

This is a structural property of the WordPress ecosystem. The plugins that provide the most value -- and therefore get the most installs -- create the largest attack surfaces when they have vulnerabilities. It is not a reason to avoid popular plugins, but it is a reason to monitor their security disclosures closely.

Running automated scans on your WordPress sites helps catch outdated plugin versions before they can be exploited. WP Vanguard checks plugin versions against a vulnerability database of 38,000+ CVEs and flags any matches -- no SSH access required.


What Happens When a Patch Is Released

When the Events Calendar team releases a patch, the fix will ship as a plugin update on WordPress.org. Sites with automatic plugin updates enabled will receive it automatically. Sites with manual updates require you to apply it through Plugins > Installed Plugins > Update.

Given the severity of this vulnerability, if you have automatic updates disabled for The Events Calendar (common in managed environments where updates go through staging first), make an exception for this one. Apply the security patch directly rather than waiting for a full review cycle.

We will update this post when a patch is confirmed available.


Scan your site for vulnerable plugin versions | View pricing | Weekly vulnerability report

CVE-2026-3585 events-calendar path-traversal wordpress-vulnerability wordpress-security

Related reading

Check Your WordPress Site Security

Free scan, no login required. Find vulnerabilities before attackers do.

Scan Your Site Free

Get weekly WordPress security tips

Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.

WP Vanguard is built by Wbcom Designs, makers of Reign, Jetonomy, Listora, and more. Explore our WordPress products →
← Back to Blog