CVE-2026-1655 - Vulnerability Details

- EventPrime <= 4.2.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Event Modification via 'event_id' Parameter

Description

The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_event_submission function accepting a user-controlled event_id parameter and updating the corresponding event post without enforcing ownership or capability checks. This makes it possible for authenticated (Customer+) attackers to modify posts created by administrators by manipulating the event_id parameter granted they can obtain a valid nonce.

Published: 2026-02-18

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The EventPrime plugin for WordPress contains a missing authorization check in its save_frontend_event_submission function, allowing any authenticated Subscriber+ user with a valid nonce to alter the event_id parameter and update or delete events created by administrators. This flaw results in a loss of integrity for event content and can be leveraged to tamper with event details, schedules, or ownership. It is classified as CWE-862, a Missing Authorization vulnerability.

Affected Systems

The vulnerability exists in all versions of the metagauss EventPrime plugin up to and including 4.2.8.4. Sites running any of these releases are affected and require attention.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3 and an EPSS score of less than 1%, indicating a moderate severity level and a low to very low current exploitation probability. The attack requires that the attacker be an authenticated user with a valid nonce to trigger the vulnerable AJAX endpoint, suggesting an insider or compromised account scenario. Though the likelihood of exploitation is low, the impact—untrusted modification of event posts—warrants timely remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

metagauss

EventPrime – Events Calendar, Bookings and Tickets

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.2.8.4

No data.

Vendor Product Confidence Versions

Metagauss

Eventprime – Events Calendar, Bookings And Tickets

100%

Version	Status	Scheme	Platform
`[0,4.2.8.4]`	affected	generic	—

Wordpress

95%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the EventPrime plugin to version 4.2.8.5 or later where the missing authorization check is fixed.
If an immediate upgrade is not feasible, disable frontend event editing features or set role restrictions so that only administrators can modify events via the frontend AJAX endpoint.
Ensure that any custom code or hooks that pass event_id to the save_frontend_event_submission function perform proper capability checks before execution.

Generated by OpenCVE AI on April 15, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L741
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L798
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L741
https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L798
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/0e2a2769-1309-4aad-8411-4445efea2b66?source=cve

History

Wed, 18 Feb 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Metagauss Metagauss eventprime – Events Calendar, Bookings And Tickets Wordpress Wordpress wordpress
Vendors & Products		Metagauss Metagauss eventprime – Events Calendar, Bookings And Tickets Wordpress Wordpress wordpress

Wed, 18 Feb 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_event_submission function accepting a user-controlled event_id parameter and updating the corresponding event post without enforcing ownership or capability checks. This makes it possible for authenticated (Customer+) attackers to modify posts created by administrators by manipulating the event_id parameter granted they can obtain a valid nonce.
Title		EventPrime <= 4.2.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Event Modification via 'event_id' Parameter
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L741 https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L798 https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L741 https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L798 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/0e2a2769-1309-4aad-8411-4445efea2b66?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Metagauss Eventprime – Events Calendar, Bookings And Tickets

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-18T07:25:40.066Z

Updated: 2026-04-08T16:35:24.605Z

Reserved: 2026-01-29T19:20:41.453Z

Link: CVE-2026-1655

Vulnrichment

Updated: 2026-02-18T12:25:09.047Z

NVD

Status : Deferred

Published: 2026-02-18T08:16:14.257

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1655

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object