{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3585", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-05T06:16:21.181Z", "datePublished": "2026-03-10T03:33:51.369Z", "dateUpdated": "2026-03-10T03:33:51.369Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-10T03:33:51.369Z"}, "affected": [{"vendor": "stellarwp", "product": "The Events Calendar", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "6.15.17", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "title": "The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92e404ab-fe2b-45b3-b8ff-672f7888b747?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/the-events-calendar/tags/6.15.17/src/Tribe/Aggregator/Tabs/New.php#L466"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-03-05T06:32:14.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-09T14:40:15.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{}

{}

{}