CVE-2026-3585 is a path traversal vulnerability classified under CWE-22 found in the popular WordPress plugin The Events Calendar by stellarwp. This vulnerability exists in all versions up to and including 6.15.17 and is triggered via the 'ajax_create_import' function. The flaw allows an authenticated attacker with Author-level permissions or higher to manipulate file path inputs improperly, bypassing directory restrictions. This enables the attacker to read arbitrary files on the web server, potentially exposing sensitive data such as configuration files, credentials, or other private information stored on the server. The vulnerability does not require elevated privileges beyond Author-level, making it accessible to a broad range of authenticated users, including contributors or editors. Exploitation is remote and does not require user interaction, increasing the risk profile. The CVSS v3.1 base score is 7.5, indicating high severity primarily due to the confidentiality impact and ease of exploitation. No integrity or availability impacts are noted. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a significant risk for affected installations. The plugin is widely used in WordPress sites globally, increasing the potential attack surface. The lack of a patch link suggests mitigation or updates may be pending or need to be monitored closely.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information stored on the server hosting the vulnerable WordPress plugin. Attackers with Author-level access can read arbitrary files, which may include database credentials, API keys, configuration files, or other sensitive data, potentially leading to further compromise of the web application or backend systems. While the vulnerability does not directly affect system integrity or availability, the confidentiality breach can facilitate subsequent attacks such as privilege escalation, data exfiltration, or lateral movement within the network. Organizations relying on The Events Calendar plugin for event management on WordPress sites face increased risk of data leakage, especially if they grant Author-level access to untrusted users or if accounts are compromised. The vulnerability's remote exploitability and lack of user interaction requirements increase the likelihood of exploitation in targeted or opportunistic attacks. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits following public disclosure. The widespread use of WordPress and this plugin means a large number of websites globally could be affected, potentially impacting businesses, non-profits, and government entities that use this software for event management.

To mitigate this vulnerability, organizations should immediately upgrade The Events Calendar plugin to a version that addresses CVE-2026-3585 once available from stellarwp. Until a patch is released, administrators should restrict Author-level access to trusted users only and review user roles to minimize the number of accounts with such privileges. Implementing web application firewall (WAF) rules to detect and block suspicious requests targeting the 'ajax_create_import' function can help reduce exploitation risk. Additionally, server-side hardening measures such as disabling directory listing, restricting file read permissions to only necessary files, and isolating the web server environment can limit the impact of successful exploitation. Monitoring server logs for unusual file access patterns or attempts to traverse directories can provide early detection of exploitation attempts. Regularly auditing plugin versions and applying security updates promptly is critical. Organizations should also consider implementing multi-factor authentication (MFA) for WordPress accounts to reduce the risk of account compromise. Finally, sensitive files should be stored outside the web root or protected with appropriate access controls to minimize exposure.