The Events Calendar has over 700,000 active installs, making it one of the most widely deployed event management plugins in the WordPress ecosystem. It handles event listings, recurring schedules, community calendars, and CSV-based import workflows. In March 2026, a path traversal vulnerability was disclosed that puts every unpatched installation at risk of exposing database credentials to any logged-in author or contributor.
The Vulnerability
CVE-2026-3585 sits in the plugin’s CSV import function — specifically, the ajax_create_import handler doesn’t properly validate file paths before reading them. An attacker with Author-level access or higher can craft a request that causes the plugin to read files outside the intended directory, including wp-config.php.
The CVSS score is 7.5. Not the headline-grabbing 9.8 of a full unauthenticated RCE, but a 7.5 that requires exactly the kind of access a freelance writer, part-time content editor, or agency staff member would typically have. The patched version — 6.15.18 — was released the same day the vulnerability was disclosed.
What Author-Level Access Exposes
Author and Contributor accounts are routinely granted to people outside the core team — freelancers writing event content, seasonal staff managing a community calendar, agencies handling content on behalf of a client. They’re also frequently not revoked when those relationships end.
On a site running an unpatched version, any of those accounts can be used to read wp-config.php directly via the path traversal. That file contains the database hostname, username, and password; the WordPress authentication secret keys used for session management; and any API keys or credentials stored there by other plugins.
Database credentials in hand, an attacker can connect directly to the database outside of WordPress entirely — reading or modifying any data without leaving WordPress activity logs. Exposed authentication keys mean session tokens can be forged, bypassing login for any account on the site. This doesn’t require breaking into anything. It requires an author account and knowledge of the exploit.
700,000 Sites and a Free Patch
The Events Calendar is the kind of plugin that gets installed once, works reliably, and quietly falls behind on updates while everyone focuses on content. Sites running event listings for local businesses, nonprofits, and community organizations aren’t high-value targets in the traditional sense — but automated scanners don’t make that distinction. Bots probe version strings at scale. If your site matches a known CVE, it gets flagged regardless of traffic numbers or industry.
The patch was free and available the day CVE-2026-3585 was disclosed. The gap between “patch available” and “patch installed” is where most real-world exploits happen — not through zero-days, but through known flaws that slipped through a busy week.
What to Do
Update to version 6.15.18 or later. The fix is in the path validation logic of the CSV import handler — there are no known compatibility issues with the update.
Beyond the update, audit contributor and author accounts. Remove access for anyone who no longer needs it. A dormant account from a freelancer whose contract ended six months ago is a live attack vector on any site that hasn’t patched.
Trusti Security’s vulnerability scanner checks installed plugins against a live CVE database and flags matches as soon as they’re documented — so a newly disclosed vulnerability like this one surfaces in your dashboard before it becomes a forensic question.