Description
The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.
Published: 2026-02-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Upload
Action: Patch Immediately
AI Analysis

Impact

The EventPrime plugin registers the ep_upload_file_media AJAX action as nopriv, meaning it is publicly accessible. No authentication or proper authorization checks are performed, even though a nonce is created and never enforced. This flaw allows an unauthenticated attacker to send a POST request to the endpoint and upload any image file to the WordPress uploads directory. The ability to place arbitrary files on the server can be leveraged for phishing, persistence, or defacement. If the server is configured to execute uploads, the attacker could potentially run code on the site; this possibility is inferred from the description and is not directly confirmed.

Affected Systems

All WordPress installations running the EventPrime Events Calendar, Bookings and Tickets plugin version 4.2.8.4 or earlier are affected. Any site using these builds has the ep_upload_file_media endpoint exposed without authorization.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests real‑world exploitation is currently rare or undocumented. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit this flaw by sending a crafted POST request to http://<site>/wp-admin/admin-ajax.php without any authentication or additional prerequisites. The vulnerability allows arbitrary file upload, and while remote code execution is inferred if the server executes uploaded content, this outcome is not directly supported by the description.

Generated by OpenCVE AI on April 18, 2026 at 12:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the EventPrime plugin to a version newer than 4.2.8.4, which removes the unauthenticated upload_file_media endpoint.
  • If upgrading is not immediately possible, restrict write permissions on the wp‑content/uploads directory to the web server user and configure the web server to prevent execution of files in that directory.
  • Block the ep_upload_file_media AJAX action for non‑authenticated users by adding a rule that rejects requests lacking a valid logged‑in session or properly validated nonce, which aligns with CWE‑862 remediation guidance for enforcing authorization.

Generated by OpenCVE AI on April 18, 2026 at 12:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss eventprime – Events Calendar, Bookings And Tickets
Wordpress
Wordpress wordpress
Vendors & Products Metagauss
Metagauss eventprime – Events Calendar, Bookings And Tickets
Wordpress
Wordpress wordpress

Tue, 17 Feb 2026 05:45:00 +0000

Type Values Removed Values Added
Description The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.
Title EventPrime <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Metagauss Eventprime – Events Calendar, Bookings And Tickets
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:57.769Z

Reserved: 2026-01-29T20:00:13.921Z

Link: CVE-2026-1657

cve-icon Vulnrichment

Updated: 2026-02-17T14:33:50.892Z

cve-icon NVD

Status : Deferred

Published: 2026-02-17T06:16:18.173

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:15:15Z

Weaknesses