Description
Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions.
Published: 2026-06-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The EventPrime plugin prior to version 4.3.0.1 is vulnerable to Insecure Direct Object References (IDOR). The flaw allows a subscriber to manipulate request parameters and gain unauthorized access to the data of other subscribers or protected resources. This can lead to disclosure of personal information and potentially allow further exploitation if the compromised data is used to elevate privileges or conduct phishing attacks.

Affected Systems

WordPress sites running the EventPrime plugin version 4.3.0.0 or earlier. The vulnerability impacts all installations in which the plugin is activated, regardless of user role, because the IDOR is present in the subscriber workflow.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score is less than 1%, suggesting that exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is likely local to the site’s subscriber interface, and any authenticated or unprivileged subscriber could exploit the IDOR by crafting URLs or form submissions. The exploitation does not require elevated privileges, so a determined attacker can reach the flaw by simply navigating the site or sending crafted requests.

Generated by OpenCVE AI on June 16, 2026 at 22:29 UTC.

Remediation

Vendor Solution

Update the WordPress EventPrime Plugin to the latest available version (at least 4.3.0.1).

OpenCVE Recommended Actions

  • Update the EventPrime plugin to version 4.3.0.1 or newer.
  • If an immediate update is not possible, restrict access to subscriber URLs by adding authentication checks or whitelisting specific user roles.
  • Verify that the plugin’s input parameters enforce proper access controls and reject impersonation attempts.

Generated by OpenCVE AI on June 16, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions.
Title WordPress EventPrime plugin <= 4.3.0.0 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T17:11:42.240Z

Reserved: 2026-04-07T10:48:03.414Z

Link: CVE-2026-39518

cve-icon Vulnrichment

Updated: 2026-06-16T13:29:55.989Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:46.333

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:30:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key