CVE-2026-1655
Unauthorized Post Modification in EventPrime WordPress Plugin
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eventprime | eventprime | to 4.2.8.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The EventPrime plugin for WordPress has a vulnerability that allows unauthorized modification of posts. This happens because the function save_frontend_event_submission accepts a user-controlled event_id parameter and updates the corresponding event post without checking if the user owns the post or has the right permissions.
As a result, authenticated users with Customer+ privileges can modify posts created by administrators by manipulating the event_id parameter, provided they have a valid nonce.
How can this vulnerability impact me? :
This vulnerability can allow attackers with certain authenticated access to modify event posts they should not have control over, including those created by administrators.
Such unauthorized modifications could lead to misinformation, defacement, or manipulation of event data on a WordPress site using the EventPrime plugin.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know