{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1657", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-29T20:00:13.921Z", "datePublished": "2026-02-17T05:29:53.330Z", "dateUpdated": "2026-04-08T16:48:57.769Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:57.769Z"}, "affected": [{"vendor": "metagauss", "product": "EventPrime \u2013 Events Calendar, Bookings and Tickets", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.2.8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint."}], "title": "EventPrime <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42aa82ff-0d37-4040-b8fc-84d29534a4b7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L1659"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L1659"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-event-calendar-management.php#L557"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-eventprime-event-calendar-management.php#L557"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tharadol Suksamran"}], "timeline": [{"time": "2026-01-29T20:17:16.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-16T17:29:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T14:32:36.378899Z", "id": "CVE-2026-1657", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:33:56.486Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1657", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T14:32:36.378899Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T14:33:50.892Z"}}], "cna": {"title": "EventPrime <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint", "credits": [{"lang": "en", "type": "finder", "value": "Tharadol Suksamran"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "metagauss", "product": "EventPrime \u2013 Events Calendar, Bookings and Tickets", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.2.8.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-29T20:17:16.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-16T17:29:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42aa82ff-0d37-4040-b8fc-84d29534a4b7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L1659"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L1659"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-event-calendar-management.php#L557"}, {"url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-eventprime-event-calendar-management.php#L557"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-17T05:29:53.330Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1657", "state": "PUBLISHED", "dateUpdated": "2026-02-17T14:33:56.486Z", "dateReserved": "2026-01-29T20:00:13.921Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-17T05:29:53.330Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint."}, {"lang": "es", "value": "El plugin EventPrime para WordPress es vulnerable a la carga no autorizada de archivos de imagen en todas las versiones hasta la 4.2.8.4, inclusive. Esto se debe a que el plugin registra la acci\u00f3n AJAX upload_file_media como p\u00fablicamente accesible (con nopriv habilitado) sin implementar ninguna autenticaci\u00f3n, autorizaci\u00f3n o verificaci\u00f3n de nonce a pesar de que se crea un nonce. Esto hace posible que atacantes no autenticados carguen archivos de imagen al directorio de cargas de WordPress y creen adjuntos en la Biblioteca de Medios a trav\u00e9s del endpoint ep_upload_file_media."}], "id": "CVE-2026-1657", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-17T06:16:18.173", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php#L1659"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-eventprime-event-calendar-management.php#L557"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php#L1659"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-event-calendar-management.php#L557"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3455239%40eventprime-event-calendar-management%2Ftrunk&old=3452796%40eventprime-event-calendar-management%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42aa82ff-0d37-4040-b8fc-84d29534a4b7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.8.4]"}}], "product": "eventprime_\u2013_events_calendar,_bookings_and_tickets", "vendor": "metagauss"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-18T12:03:27.687561+00:00", "value": {"mitigation_remediation": ["Update the EventPrime plugin to a version newer than 4.2.8.4, which removes the unauthenticated upload_file_media endpoint.", "If upgrading is not immediately possible, restrict write permissions on the wp\u2011content/uploads directory to the web server user and configure the web server to prevent execution of files in that directory.", "Block the ep_upload_file_media AJAX action for non\u2011authenticated users by adding a rule that rejects requests lacking a valid logged\u2011in session or properly validated nonce, which aligns with CWE\u2011862 remediation guidance for enforcing authorization."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary File Upload"}, "threat_synthesis": {"affected_systems": "All WordPress installations running the EventPrime Events Calendar, Bookings and Tickets plugin version 4.2.8.4 or earlier are affected. Any site using these builds has the ep_upload_file_media endpoint exposed without authorization.", "description_and_impact": "The EventPrime plugin registers the ep_upload_file_media AJAX action as nopriv, meaning it is publicly accessible. No authentication or proper authorization checks are performed, even though a nonce is created and never enforced. This flaw allows an unauthenticated attacker to send a POST request to the endpoint and upload any image file to the WordPress uploads directory. The ability to place arbitrary files on the server can be leveraged for phishing, persistence, or defacement. If the server is configured to execute uploads, the attacker could potentially run code on the site; this possibility is inferred from the description and is not directly confirmed.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests real\u2011world exploitation is currently rare or undocumented. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit this flaw by sending a crafted POST request to http://<site>/wp-admin/admin-ajax.php without any authentication or additional prerequisites. The vulnerability allows arbitrary file upload, and while remote code execution is inferred if the server executes uploaded content, this outcome is not directly supported by the description."}}}}, "created": "2026-02-17T08:48:51.807559+00:00", "updated": "2026-04-18T12:15:15.772807+00:00", "vendors": ["metagauss", "metagauss$PRODUCT$eventprime_\u2013_events_calendar,_bookings_and_tickets", "wordpress", "wordpress$PRODUCT$wordpress"]}