We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: EventPrime Plugin Vulnerability (CVE-2026-1655)

Nick Paliughi
On this page

Security Alert Summary

The EventPrime plugin for WordPress contains an authorization bypass that allows authenticated lower-privileged users to modify event posts they do not own by supplying a manipulated event_id parameter to a frontend save function. A valid nonce is required for the action per the CVE entry.

CVE Details

  • CVE ID: CVE-2026-1655
  • Affected plugin / component: The EventPrime plugin for WordPress
  • Affected versions: All versions up to and including 4.2.8.4
  • Published: February 18, 2026 at 8:16:14 AM (UTC)
  • Last modified: February 18, 2026 at 8:16:14 AM (UTC)
  • CVSS v3.1: Base Score 4.3, MEDIUM; Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • Authentication / Privileges / Interaction:
    • Authentication required: Yes — the issue requires an authenticated user and a valid nonce (as noted in the description).
    • Privileges required: Low (PR:L) — an authenticated low-privileged user (described as “Customer+”).
    • User interaction: None (UI:N).
  • Primary impact: Confidentiality: NONE; Integrity: LOW; Availability: NONE
  • CWE / weakness: CWE-862 (Missing Authorization)

Technical Details

According to the CVE description, the vulnerability exists because the plugin’s save_frontend_event_submission function accepts a user-controlled event_id parameter and updates the corresponding event post without enforcing ownership or capability checks. In other words, the code updates an existing event post based solely on an ID supplied by the requester and does not verify that the authenticated user is the post owner or has the capability to modify that post.

The description also notes that a valid nonce is required to invoke the functionality, but possession of a valid nonce plus a low-privileged authenticated account (Customer+) is sufficient to perform modifications to event posts created by administrators. The root cause is missing authorization checks (CWE-862) when mapping the provided event_id to the post being updated.

Impact is limited to integrity of event posts: an attacker meeting the authentication and nonce conditions can modify event content (for example, event title, date, location, or description) for posts they do not own. The CVSS vector indicates network access with low complexity and no user interaction, resulting in a MEDIUM base score (4.3).

How This Could Impact Your Website

In a typical small or medium business site using EventPrime, consider these roles: a site owner or administrator, internal staff who create and manage events, and external contributors or customers with lower-level accounts. If a low-privileged authenticated user (Customer+) is able to obtain a valid nonce and manipulate the event_id parameter, they could modify event posts created by administrators or staff. Practical consequences include incorrect event times or locations, misleading descriptions, or altered registration links that could confuse attendees or damage trust.

For example, an external contractor with a Customer+ account could change the venue or contact information for an administrator-created event, causing attendees to arrive at the wrong location or to contact the wrong person. Because confidentiality impact is listed as NONE, this issue does not indicate exposure of sensitive data, but it does represent a risk to the integrity of event content and the reliability of information presented to site visitors.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and capabilities, especially for contributor or customer-level accounts.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site and post activity for unusual edits to events or other content.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Private Comment Plugin Vulnerability (CVE-2026-2281)
Next Post
WordPress Security Bulletin: Business Directory Plugin (CVE-2026-1656)