EventPrime < 4.2.8.5 – Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint | CVE 2026-1657 | Plugin Vulnerabilities

Description

The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.

Affects Plugins

eventprime-event-calendar-management

Fixed in 4.2.8.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/42aa82ff-0d37-4040-b8fc-84d29534a4b7

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Tharadol Suksamran (d3kc4rt_1)

Verified

No

WPVDB ID

1ab710f6-27dc-4580-84f3-a61e737c6278

Timeline

Publicly Published

2026-02-16 (about 3 months ago)

Added

2026-02-16 (about 3 months ago)

Last Updated

2026-02-17 (about 3 months ago)

Other

Published

Title

Published

2026-02-11

Title

LearnPress Export Import < 4.1.1 - Missing Authentication to Unauthenticated Migrated Course Deletion

Published

2025-11-30

Title

Payment Gateway for PayPal on WooCommerce < 9.0.54 - Missing Authorization

Published

2026-02-13

Title

Media Library Folders < 8.3.7 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Attachment Deletion and Rename

Published

2024-10-25

Title

Download Monitor < 5.0.13 - Missing Authorization to API Key Manipulation

Published

2026-01-07

Title

Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager < 3.1.6 - Missing Authorization to Authenticated (Author+) Media Replacement