[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9pCaHI87g0RsiwpXdw5KDFiD4zb73ipgyGeRXKUXXk4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-25312","eventprime-events-calendar-bookings-and-tickets-missing-authorization-2","EventPrime – Events Calendar, Bookings and Tickets \u003C= 4.2.8.3 - Missing Authorization","The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.8.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.","eventprime-event-calendar-management",null,"\u003C=4.2.8.3","4.2.8.4","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-18 00:00:00","2026-03-27 20:17:15",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc603bd67-2e14-45ed-bbff-1bcbd3c18425?source=api-prod",10,[22,23,24,25,26,27],"admin\u002Fclass-eventprime-event-calendar-management-admin.php","admin\u002Fpartials\u002Fmetaboxes\u002Fmeta-box-booking-attendees.php","admin\u002Fpartials\u002Fmetaboxes\u002Fmeta-box-checkout-fields-panel-html.php","admin\u002Fpartials\u002Freports\u002Fparts\u002Fbookings\u002Fbooking-list.php","admin\u002Fpartials\u002Freports\u002Fparts\u002Fbookings\u002Fload-more-booking-list.php","admin\u002Fpartials\u002Fsettings\u002Fsettings-tab-emails.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-25312 (Missing Authorization in EventPrime)\n\n## 1. Vulnerability Summary\nThe **EventPrime – Events Calendar, Bookings and Tickets** plugin (up to version 4.2.8.3) contains a missing authorization vulnerability. An unauthenticated attacker can perform unauthorized actions—specifically state-changing operations such as dismissing administrative notices—due to the plugin registering an AJAX handler via `wp_ajax_nopriv_` without implementing a `current_user_can()` check.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action:** `ep_dismiss_admin_notice` (Inferred from nonce naming)\n* **Vulnerable Parameter:** `notice_id`\n* **Authentication:** None (Exploitable via `wp_ajax_nopriv_`)\n* **Preconditions:** The attacker must obtain a valid nonce, which is localized and leaked on pages where the plugin's admin utilities are enqueued.\n\n## 3. Code Flow\n1. In `admin\u002Fclass-eventprime-event-calendar-management-admin.php`, the method `enqueue_scripts()` creates a nonce with the action string `'ep_dismissable_notice_nonce'`.\n2. This nonce is localized to the JavaScript variable `ep_ajax_object` under the key `nonce`.\n3. The plugin registers an AJAX handler (likely `ep_dismiss_admin_notice`) using `add_action('wp_ajax_nopriv_ep_dismiss_admin_notice', ...)` and `add_action('wp_ajax_ep_dismiss_admin_notice', ...)`.\n4. The handler function verifies the nonce using `check_ajax_referer('ep_dismissable_notice_nonce', 'nonce')` or `wp_verify_nonce()`.\n5. Crucially, the handler **fails to check** if the requester has administrative privileges (e.g., `manage_options`).\n6. An unauthenticated user can provide a valid nonce and a `notice_id` to modify the site state by dismissing persistent admin notices for all users.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized in the `ep_ajax_object` object. While enqueued in the admin class, EventPrime often loads these utilities on the frontend or login pages if certain blocks\u002Fshortcodes are present.\n\n1. **Identify Trigger:** The plugin's scripts are typically enqueued when a calendar or event list is rendered.\n2. **Create Setup Page:**\n ```bash\n wp post create --post_type=page --post_title=\"Calendar Test\" --post_status=publish --post_content='[em_calendar]'\n ```\n3. **Navigate and Extract:**\n * Navigate to the newly created page.\n * Use `browser_eval` to extract the nonce:\n ```javascript\n window.ep_ajax_object?.nonce\n ```\n\n## 5. Exploitation Strategy\nOnce the nonce is obtained, perform an unauthenticated POST request to trigger the unauthorized action.\n\n* **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** `POST`\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body:**\n ```\n action=ep_dismiss_admin_notice&nonce=[EXTRACTED_NONCE]¬ice_id=ep_rating_notice\n ```\n *(Note: common notice IDs include `ep_rating_notice`, `ep_welcome_notice`, or `ep_trial_notice`)*.\n\n## 6. Test Data Setup\n1. Install EventPrime version 4.2.8.3.\n2. Ensure at least one admin notice is \"visible\" (default on fresh install).\n3. Create a public page with the `[em_calendar]` shortcode to facilitate nonce leakage.\n\n## 7. Expected Results\n* **HTTP Response:** The server should return a successful status code (usually `200 OK`) and a body containing `1` or `{\"success\":true}`.\n* **State Change:** The targeted notice will be marked as dismissed in the database (typically in the `wp_options` table), preventing administrators from seeing it.\n\n## 8. Verification Steps\nAfter the HTTP request, verify the state change using WP-CLI:\n```bash\n# Check the dismissed notices option (name inferred based on plugin patterns)\nwp option get ep_dismissed_notices\n```\nAlternatively, log in as an administrator and check if the notice (e.g., the rating or welcome notice) has disappeared from the dashboard.\n\n## 9. Alternative Approaches\nIf `ep_dismiss_admin_notice` is not the specific action, investigate other handlers registered in `class-eventprime-event-calendar-management-admin.php` that use the `ep_ajax_object` nonce. Possible candidates include:\n* `ep_fb_load_more_bookings` (if `nopriv` registration exists, check for PII leakage).\n* `ep_save_event_order` (unauthorized modification of event display order).\n* Check if the nonce action passed to `wp_verify_nonce` is `-1` (the default), which would allow any valid nonce from the system to be used.","The EventPrime plugin fails to implement proper authorization checks on its AJAX handlers, specifically the action responsible for dismissing administrative notices. Unauthenticated attackers can obtain a leaked nonce from the site's frontend and use it to dismiss important dashboard notices for all administrators.","\u002F\u002F admin\u002Fclass-eventprime-event-calendar-management-admin.php @ line 105\n wp_enqueue_script( $this->plugin_name, plugin_dir_url( __FILE__ ) . 'js\u002Feventprime-event-calendar-management-admin.js', array( 'jquery' ), $this->version, true );\n $ep_dismissable_notice_nonce = wp_create_nonce( 'ep_dismissable_notice_nonce' );\n wp_localize_script(\n $this->plugin_name,\n 'ep_ajax_object',\n array(\n\t\t\t\t'nonce' => $ep_dismissable_notice_nonce,\n\t\t\t\t'ajax_url' => admin_url( 'admin-ajax.php' ),\n\t\t\t)\n );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feventprime-event-calendar-management\u002F4.2.8.3\u002Fadmin\u002Fclass-eventprime-event-calendar-management-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feventprime-event-calendar-management\u002F4.2.8.4\u002Fadmin\u002Fclass-eventprime-event-calendar-management-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feventprime-event-calendar-management\u002F4.2.8.3\u002Fadmin\u002Fclass-eventprime-event-calendar-management-admin.php\t2026-01-30 12:18:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feventprime-event-calendar-management\u002F4.2.8.4\u002Fadmin\u002Fclass-eventprime-event-calendar-management-admin.php\t2026-02-03 11:14:18.000000000 +0000\n@@ -1184,6 +1184,9 @@\n 'normal',\n 'low'\n );\n+\n+ do_action('ep_register_metabox_before_ticket_attendees');\n+\n add_meta_box(\n 'ep_tickets_attendies',\n esc_html__( 'Tickets Attendees', 'eventprime-event-calendar-management' ),\n... (truncated)","The exploit targets the `ep_dismiss_admin_notice` AJAX action (inferred from the `ep_dismissable_notice_nonce` localized script). \n\n1. Nonce Acquisition: An unauthenticated attacker visits any public page where EventPrime enqueues its scripts (such as a page with the `[em_calendar]` shortcode). They extract the nonce from the global JavaScript object `ep_ajax_object.nonce`.\n2. Payload Construction: The attacker prepares a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php`.\n3. Request Shape: The body must include `action=ep_dismiss_admin_notice`, the extracted `nonce`, and the `notice_id` of the admin notice they wish to dismiss (e.g., `ep_rating_notice`).\n4. Execution: Because the plugin registers the handler using `wp_ajax_nopriv_` and fails to call `current_user_can('manage_options')` within the handler function, the request succeeds. \n5. Result: The targeted administrative notice is marked as dismissed in the site's database, hiding it from legitimate administrators.","gemini-3-flash-preview","2026-04-18 02:40:08","2026-04-18 02:41:14",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","4.2.8.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventprime-event-calendar-management\u002Ftags\u002F4.2.8.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feventprime-event-calendar-management.4.2.8.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventprime-event-calendar-management\u002Ftags\u002F4.2.8.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feventprime-event-calendar-management.4.2.8.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventprime-event-calendar-management\u002Ftags"]