PT-2026-20281 · WordPress · Eventprime
Supoj Polsawas
·
Published
2026-02-18
·
Updated
2026-02-18
·
CVE-2026-1655
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
EventPrime plugin for WordPress versions prior to 4.2.8.5
Description
The EventPrime plugin for WordPress is susceptible to unauthorized post modification because of absent authorization checks. The
save frontend event submission function accepts a user-controlled event id parameter and updates the corresponding event post without verifying ownership or capabilities. This allows authenticated attackers with Customer+ privileges to modify posts created by administrators by manipulating the event id parameter, provided they have a valid nonce.Recommendations
Update the EventPrime plugin to version 4.2.8.5 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Eventprime