CVE-2026-3585 Vulnerability Summary Vulnerability Overview CVE ID: CVE-2026-3585 Vulnerability Name: The Events Calendar – LFI Author+ Vulnerability Type: Authenticated Local File Inclusion Description: This vulnerability exists in the CSV import path of the The Events Calendar plugin. Low-privilege users (such as those with the Author+ role) can direct the importer to an arbitrary local path and force the server to open it as a CSV file. Although this may not appear to be code execution, it allows reading sensitive server files (such as , , etc.), leading to sensitive information disclosure. Affected Scope Affected Plugin: The Events Calendar Affected Versions: <= 6.15.17 Active Installations: 700,000+ Disclosure Date: March 9, 2026 Researcher: Dmitrii Ignatyev Remediation Recommendations 1. Implement Strict Path Policies: The importer must enforce that CSV file paths are located only within approved directories (typically the upload directory or a dedicated aggregator import directory). 2. Path Validation: Use to check the candidate path against the base directory, followed by a prefix check. Any absolute path extending beyond the allowed base path must be rejected before the import record is created. 3. Prohibit Direct Filesystem Access: Disallow direct filesystem paths; only allow uploads via WordPress media handling. 4. Access Control: On the authorization side, access to the aggregator import endpoint should be restricted to trusted roles and should not be available to unprivileged users. 5. Mitigation Measures**: If CSV import is not required, disable it. If a leak is suspected, rotate keys (API keys, database credentials). POC Code