[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f5lE4IB-g-ixGq_tjHhDbKINL7x8gvvaQLjuAS6ZylkI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20},"CVE-2026-1657","eventprime-missing-authorization-to-unauthenticated-image-upload-via-epuploadfilemedia-ajax-endpoint","EventPrime \u003C= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint","The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.","eventprime-event-calendar-management",null,"\u003C=4.2.8.4","4.2.8.5","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-16 17:29:13","2026-02-17 05:29:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F42aa82ff-0d37-4040-b8fc-84d29534a4b7?source=api-prod",1]