Vulnerability Description
The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_event_submission function accepting a user-controlled event_id parameter and updating the corresponding event post without enforcing ownership or capability checks. This makes it possible for authenticated (Customer+) attackers to modify posts created by administrators by manipulating the event_id parameter granted they can obtain a valid nonce.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/
- https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/
- https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/
- https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0e2a2769-1309-4aad-841
FAQ
What is CVE-2026-1655?
CVE-2026-1655 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_...
How severe is CVE-2026-1655?
CVE-2026-1655 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-1655?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.