The vulnerability is a missing authorization flaw in the EventPrime WordPress plugin, identified by CWE‑862, that allows users to perform actions normally restricted to administrators. An attacker who can reach the plugin’s administrative endpoints may be able to add, edit, or delete events, thereby undermining the integrity and availability of the scheduled content managed by the site. This flaw directly invites unauthorized manipulation of event data, which could be leveraged to deface, re‑schedule, or expose sensitive information.

The issue affects all installations of the WordPress EventPrime plugin running from the earliest released versions through and including 4.3.2.0. The plugin is deployed within the WordPress ecosystem, and any site that integrates EventPrime without upgrading to a patched release is potentially vulnerable.

The CVSS score of 7.5 classifies the flaw as high severity, indicating that exploitation can have substantial impact. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no broadly reported exploitation to date. However, the description indicates that security levels are incorrectly configured, implying that the flaw can be exercised by reaching the plugin’s endpoints—most likely through remote web interaction. The lack of concrete information about authentication requirements means it is uncertain whether unauthenticated users can exploit the flaw, but the potential for authority escalation remains high if any standard user can access the affected functionality.