Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
EventPrime Plugin Allows Hackers to Upload Unauthorized Images
CVE-2026-1657
Summary
The EventPrime plugin for WordPress is open to a security risk that allows hackers to upload any image file to your website without needing a password. This can lead to malicious images being displayed on your site or used to spread malware. To protect your website, update the EventPrime plugin to the latest version or consider removing it if you no longer need it.
Original title
The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX a...
Original description
The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/...
- https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/...
- https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/...
- https://plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/42aa82ff-0d37-4040-b8f...
Published: 17 Feb 2026 · Updated: 14 Mar 2026 · First seen: 6 Mar 2026