WordPress GeoDirectory Plugin Privilege Escalation via AJAX Handler

The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) — with no allow-list — to the attacker-controlled $_POST['type'] and $_POST['postid'] values before forwarding them to update_ayi_data(), which calls update_user_meta($current_user->ID, $rsvp_args['type'], $posts). By passing type=wp_capabilities and postid=administrator, an attacker writes ['subscriber'=>true,'administrator'=>'administrator'] into their own wp_capabilities user meta; WP_User::get_role_caps() then treats the 'administrator' array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator.

Casky was already ahead

This CVE exploits attack patterns that Casky's 203matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

The Events Calendar for GeoDirectory plugin contains a critical privilege escalation vulnerability in its AJAX handler that fails to properly validate user-supplied input before updating user metadata. By manipulating the 'type' and 'postid' POST parameters, an unauthenticated or low-privileged attacker can inject arbitrary values—most dangerously 'wp_capabilities'—into user meta fields, effectively granting themselves administrator-level access. This vulnerability affects all versions up to 2.3.28 and represents a severe risk to any WordPress installation using this plugin, as it bypasses WordPress's standard capability checks and directly modifies the authorization mechanism at the database level.

Casky's 203 mapped skills detect this attack through Claude AI's extended reasoning across MITRE ATT&CK TA0004 (Privilege Escalation) techniques. Practitioners using Casky would identify attack patterns including: insufficient input validation (CWE-269), unsafe AJAX handler design, improper use of esc_sql() without context-aware sanitization, and direct manipulation of wp_capabilities metadata. The platform's skill correlation would flag suspicious POST requests to ajax_ayi_action with type parameters matching WordPress meta keys, unusual wp_user_meta modification patterns, and sudden privilege escalation events tied to plugin AJAX calls—enabling security teams to detect both exploitation attempts and post-compromise indicators before attackers establish persistent administrative access.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

203 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-11616.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-office365-audit-logs-for-compromise

cloud security · low

Run

MITRE ATT&CK Techniques

TA0004

Investigate the attack patterns behind CVE-2026-11616

Casky has 203 skills that investigate the attack patterns behind CVE-2026-11616. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn