Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
The Events Calendar plugin for WordPress allows attackers to read sensitive files
CVE-2026-3585
Summary
The Events Calendar plugin for WordPress is affected. If an attacker with a certain level of access logs in, they can read sensitive files on your server. Update the plugin to the latest version to fix this vulnerability.
Original title
The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenti...
Original description
The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
nvd CVSS3.1
7.5
Vulnerability type
CWE-22
Path Traversal
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026