CVE-2026-1657

Name of the Vulnerable Software and Affected Versions EventPrime versions prior to 4.2.8.5

Description The EventPrime plugin for WordPress is susceptible to unauthorized image file uploads. The plugin registers the upload file media API endpoint as publicly accessible without requiring authentication, authorization, or nonce verification, despite a nonce being created. This allows unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep upload file media endpoint.

Recommendations Update EventPrime to version 4.2.8.5 or later.