WordPress Plugin Vulnerabilities

EventPrime – Events Calendar, Bookings and Tickets < 4.3.0.1 - Authenticated (Subscriber+) Insecure Direct Object Reference

Description

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions.

Affects Plugins

Plugin icon
eventprime-event-calendar-management
Fixed in 4.3.0.1

References

CVE
CVE-2026-39518
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/77608ee4-1917-4b2c-8acf-5d6087c5ae7a

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
James Pirstin
Verified
No
WPVDB ID
7504bed5-5216-4b19-af5a-802e0c832a98

Timeline

Publicly Published
2026-04-20 (about 1 month ago)
Added
2026-04-30 (about 29 days ago)
Last Updated
2026-04-30 (about 29 days ago)

Other

Published
Title
Published
2024-11-12
Title
WP ERP < 1.13.4 - Unauthorized Access to Terminated Employee Information
Published
2026-03-20
Title
REST API TO MiniProgram <= 5.1.2 - Subscriber+ Insecure Direct Object Reference via 'userid'
Published
2025-11-07
Title
Groups < 3.8.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join
Published
2023-09-12
Title
Simplr Registration Form Plus+ <= 2.4.5 - Subscriber+ Arbitrary User Password Change via IDOR
Published
2024-10-16
Title
WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin < 1.0.26 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover