CVE-2026-1655 – The EventPrime WordPress plugin allows authenti... (How to Fix)

Q: What is the severity of CVE-2026-1655?

CVE-2026-1655 has a CVSS score of 4.3 (MEDIUM). The EventPrime WordPress plugin allows authenticated attackers with Customer+ roles to modify administrator-created event posts without authorization. This vulnerability exists because the save_frontend_event_submission function doesn't verify if users own the events they're trying to modify. All WordPress sites using EventPrime up to version 4.2.8.4 are affected.

📋 TL;DR

The EventPrime WordPress plugin allows authenticated attackers with Customer+ roles to modify administrator-created event posts without authorization. This vulnerability exists because the save_frontend_event_submission function doesn't verify if users own the events they're trying to modify. All WordPress sites using EventPrime up to version 4.2.8.4 are affected.

💻 Affected Systems

Products:

EventPrime Event Calendar Management for WordPress

Versions: All versions up to and including 4.2.8.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with EventPrime plugin installed and at least one authenticated user with Customer+ role.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could deface or delete critical event content, disrupt operations, or inject malicious content into legitimate event posts.

🟠

Likely Case

Unauthorized modification of event details, potentially causing misinformation, scheduling conflicts, or minor content manipulation.

🟢

If Mitigated

With proper authorization checks, only event owners or administrators could modify their own events, preventing unauthorized changes.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and obtaining a valid nonce, but the attack vector is straightforward once those conditions are met.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.8.5 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find EventPrime Event Calendar Management. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Temporary Role Restriction

all

Restrict Customer+ role users from accessing event management features until patch is applied.

Use WordPress role management plugins like User Role Editor to remove 'edit_posts' capability from Customer role

🧯 If You Can't Patch

Implement web application firewall rules to block suspicious event modification requests
Enable detailed logging of all event modification attempts and monitor for unauthorized changes

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → EventPrime version. If version is 4.2.8.4 or earlier, you are vulnerable.

Check Version:

wp plugin get eventprime-event-calendar-management --field=version (if WP-CLI installed)

Verify Fix Applied:

After updating, verify version shows 4.2.8.5 or later in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin-ajax.php with action=ep_save_frontend_event_submission from non-admin users
Event modifications from users who don't own the events

Network Indicators:

Unusual pattern of event_id parameter manipulation in AJAX requests

SIEM Query:

source="wordpress.log" AND "ep_save_frontend_event_submission" AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2026-1655

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: February 18, 2026

Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1655, you might also want to check these: