WordPress Plugin Vulnerabilities

EventPrime < 4.2.8.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Event Modification via 'event_id' Parameter

Description

The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_event_submission function accepting a user-controlled event_id parameter and updating the corresponding event post without enforcing ownership or capability checks. This makes it possible for authenticated (Customer+) attackers to modify posts created by administrators by manipulating the event_id parameter granted they can obtain a valid nonce.

Affects Plugins

Plugin icon
eventprime-event-calendar-management
Fixed in 4.2.8.5

References

CVE
CVE-2026-1655
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0e2a2769-1309-4aad-8411-4445efea2b66

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Supoj Polsawas (sp0x5ec)
Verified
No
WPVDB ID
a38af8c9-c8ff-4724-bf64-0097184370c0

Timeline

Publicly Published
2026-02-17 (about 3 months ago)
Added
2026-02-17 (about 3 months ago)
Last Updated
2026-02-18 (about 3 months ago)

Other

Published
Title
Published
2024-12-11
Title
Quietly Insights <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2024-12-11
Title
Snippet Shortcodes < 4.1.7 - Authenticated (Subscriber+) Shortcode Deletion
Published
2025-10-02
Title
Jock On Air Now (JOAN) < 6.0.5 - Missing Authorization
Published
2024-02-26
Title
Rolo Slider <= 1.0.9 - Missing Authorization to Authenticated(Subscriber+) Settings Change
Published
2024-08-07
Title
Tutor LMS < 2.7.4 - Missing Authorization