CVE-2026-1657

CVSS v3.1

5.3

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions EventPrime versions prior to 4.2.8.5

Description The EventPrime plugin for WordPress is susceptible to unauthorized image file uploads. The plugin registers the

upload file media

API endpoint as publicly accessible without requiring authentication, authorization, or nonce verification, despite a nonce being created. This allows unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the

ep upload file media

endpoint.

Recommendations Update EventPrime to version 4.2.8.5 or later.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-1657

Affected Products

Eventprime

Wordpress

CVE-2026-1657

Weakness Enumeration

Related Identifiers

Affected Products

References · 10