The vulnerability is a missing authorization flaw that allows an attacker to bypass configured access control security levels and gain unauthorized access to restricted functionality within the WordPress EventPrime plugin. The weakness maps to CWE‑862 and can enable privileged actions that should be limited to higher‑privileged users. According to the official description, exploitation can occur when incorrect access controls are in place, leading to potential exposure of sensitive administrative features. The CVSS score of 4.3 indicates moderate severity, suggesting that while the flaw does not provide direct remote code execution, it can still facilitate significant operational impact for a user who can reach the affected functions.

WordPress installations that use the EventPrime eventprime‑event‑calendar‑management plugin version 4.2.4.1 or earlier are affected. The vulnerability is documented for all versions from the first release through 4.2.4.1.

The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be authenticated access, as the missing authorization propagates to users who can authenticate but should not have elevated permissions. Exploitation requires an attacker to exploit misconfigured role or capability settings within WordPress, which is typically performed by an attacker who has access to a lower‑privilege account or has successfully compromised the site. Given the moderate CVSS score and low EPSS, immediate remediation is recommended but the overall risk is moderate.