CVE-2026-11616

The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax ayi action() handler only applying strip tags(esc sql()) — with no allow-list — to the attacker-controlled $ POST['type'] and $ POST['postid'] values before forwarding them to update ayi data(), which calls update user meta($current user->ID, $rsvp args['type'], $posts). By passing type=wp capabilities and postid=administrator, an attacker writes ['subscriber'=>true,'administrator'=>'administrator'] into their own wp capabilities user meta; WP User::get role caps() then treats the 'administrator' array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator.