PT-2026-20281 · WordPress · Eventprime
Supoj Polsawas
·
Publicado
2026-02-18
·
Atualizado
2026-02-18
·
CVE-2026-1655
CVSS v3.1
4.3
Média
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
EventPrime plugin for WordPress versions prior to 4.2.8.5
Description
The EventPrime plugin for WordPress is susceptible to unauthorized post modification because of absent authorization checks. The
save frontend event submission function accepts a user-controlled event id parameter and updates the corresponding event post without verifying ownership or capabilities. This allows authenticated attackers with Customer+ privileges to modify posts created by administrators by manipulating the event id parameter, provided they have a valid nonce.Recommendations
Update the EventPrime plugin to version 4.2.8.5 or later.
Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Eventprime