Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
EventPrime Plugin for WordPress Allows Admins' Posts to be Modified
CVE-2026-1655
Summary
An attacker with a WordPress account can modify posts created by administrators by manipulating a specific parameter. This is a risk for sites using the EventPrime plugin, especially if administrators are unaware of the vulnerability. To protect your site, update the EventPrime plugin to the latest version or remove it if you don't use it.
Original title
The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_fronte...
Original description
The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_event_submission function accepting a user-controlled event_id parameter and updating the corresponding event post without enforcing ownership or capability checks. This makes it possible for authenticated (Customer+) attackers to modify posts created by administrators by manipulating the event_id parameter granted they can obtain a valid nonce.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/...
- https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/...
- https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/...
- https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0e2a2769-1309-4aad-841...
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026