{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1655", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-29T19:20:41.453Z", "datePublished": "2026-02-18T07:25:40.066Z", "dateUpdated": "2026-04-08T16:35:24.605Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:24.605Z"}, "affected": [{"vendor": "metagauss", "product": "EventPrime \u2013 Events Calendar, Bookings and Tickets", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2.8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_event_submission function accepting a user-controlled event_id parameter and updating the corresponding event post without enforcing ownership or capability checks. This makes it possible for authenticated (Customer+) attackers to modify posts created by administrators by manipulating the event_id parameter granted they can obtain a valid nonce."}], "title": "EventPrime <= 4.2.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Event Modification via 'event_id' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e2a2769-1309-4aad-8411-4445efea2b66?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L741"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L798"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L798"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L741"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supoj Polsawas"}], "timeline": [{"time": "2026-01-29T19:36:03.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T19:22:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:25:08.016326Z", "id": "CVE-2026-1655", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:52:33.131Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1655", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:25:08.016326Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:25:09.047Z"}}], "cna": {"title": "EventPrime <= 4.2.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Event Modification via 'event_id' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Supoj Polsawas"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "metagauss", "product": "EventPrime \u2013 Events Calendar, Bookings and Tickets", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.2.8.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-29T19:36:03.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T19:22:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e2a2769-1309-4aad-8411-4445efea2b66?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L741"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L798"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L798"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L741"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_event_submission function accepting a user-controlled event_id parameter and updating the corresponding event post without enforcing ownership or capability checks. This makes it possible for authenticated (Customer+) attackers to modify posts created by administrators by manipulating the event_id parameter granted they can obtain a valid nonce."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-18T07:25:40.066Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1655", "state": "PUBLISHED", "dateUpdated": "2026-02-18T12:52:33.131Z", "dateReserved": "2026-01-29T19:20:41.453Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T07:25:40.066Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_event_submission function accepting a user-controlled event_id parameter and updating the corresponding event post without enforcing ownership or capability checks. This makes it possible for authenticated (Customer+) attackers to modify posts created by administrators by manipulating the event_id parameter granted they can obtain a valid nonce."}, {"lang": "es", "value": "El plugin EventPrime para WordPress es vulnerable a la modificaci\u00f3n no autorizada de publicaciones debido a la falta de comprobaciones de autorizaci\u00f3n en todas las versiones hasta la 4.2.8.4, inclusive. Esto se debe a que la funci\u00f3n save_frontend_event_submission acepta un par\u00e1metro event_id controlado por el usuario y actualiza la publicaci\u00f3n de evento correspondiente sin aplicar comprobaciones de propiedad o capacidad. Esto permite a atacantes autenticados (Cliente+) modificar publicaciones creadas por administradores manipulando el par\u00e1metro event_id, siempre que puedan obtener un nonce v\u00e1lido."}], "id": "CVE-2026-1655", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T08:16:14.257", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L741"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L798"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L741"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L798"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e2a2769-1309-4aad-8411-4445efea2b66?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.2.8.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "EventPrime \u2013 Events Calendar, Bookings and Tickets", "source": "cna", "vendor": "metagauss"}, "product": "eventprime_\u2013_events_calendar,_bookings_and_tickets", "vendor": "metagauss"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:22:09.228454+00:00", "value": {"mitigation_remediation": ["Upgrade the EventPrime plugin to version 4.2.8.5 or later where the missing authorization check is fixed.", "If an immediate upgrade is not feasible, disable frontend event editing features or set role restrictions so that only administrators can modify events via the frontend AJAX endpoint.", "Ensure that any custom code or hooks that pass event_id to the save_frontend_event_submission function perform proper capability checks before execution."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized event modification leading to post integrity compromise"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all versions of the metagauss EventPrime plugin up to and including 4.2.8.4. Sites running any of these releases are affected and require attention.", "description_and_impact": "The EventPrime plugin for WordPress contains a missing authorization check in its save_frontend_event_submission function, allowing any authenticated Subscriber+ user with a valid nonce to alter the event_id parameter and update or delete events created by administrators. This flaw results in a loss of integrity for event content and can be leveraged to tamper with event details, schedules, or ownership. It is classified as CWE-862, a Missing Authorization vulnerability.", "risk_and_exploitability": "The vulnerability has a CVSS score of 4.3 and an EPSS score of less than 1%, indicating a moderate severity level and a low to very low current exploitation probability. The attack requires that the attacker be an authenticated user with a valid nonce to trigger the vulnerable AJAX endpoint, suggesting an insider or compromised account scenario. Though the likelihood of exploitation is low, the impact\u2014untrusted modification of event posts\u2014warrants timely remediation."}}}}, "created": "2026-02-18T10:32:32.091415+00:00", "updated": "2026-04-15T20:30:13.775073+00:00", "vendors": ["metagauss", "metagauss$PRODUCT$eventprime_\u2013_events_calendar,_bookings_and_tickets", "wordpress", "wordpress$PRODUCT$wordpress"]}