Description
Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.6.0.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

Metagauss EventPrime for WordPress contains a broken access control flaw that allows a malicious actor to perform actions normally restricted to authorized users. The vulnerability can be leveraged to add, modify, or delete events and calendar data, potentially affecting the confidentiality, integrity, and availability of the site’s event management features. The weakness is identified as CWE-862, highlighting missing authorization checks.

Affected Systems

The flaw is present in all releases of EventPrime up through version 4.2.6.0. Any WordPress site running this plugin version is potentially impacted.

Risk and Exploitability

The risk score of 7.5 indicates high severity, yet the estimated probability of exploitation is very low and there is no evidence of widespread attacks. Assuming an attacker can reach the plugin’s web endpoints, they could exploit the missing authorization controls without elevated credentials, making the attack vector likely remote and server-side. Successful exploitation would grant the attacker full administrative control over event data, but would not provide broader WordPress installation privileges unless combined with other weaknesses.

Generated by OpenCVE AI on March 26, 2026 at 22:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update EventPrime to a version newer than 4.2.6.0

Generated by OpenCVE AI on March 26, 2026 at 22:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss eventprime
Wordpress
Wordpress wordpress
Vendors & Products Metagauss
Metagauss eventprime
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.6.0.
Title WordPress EventPrime plugin <= 4.2.6.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Metagauss Eventprime
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:01.642Z

Reserved: 2025-12-31T20:12:32.245Z

Link: CVE-2025-69358

cve-icon Vulnrichment

Updated: 2026-03-26T19:50:11.457Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:27.830

Modified: 2026-04-24T16:32:53.997

Link: CVE-2025-69358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:57Z

Weaknesses