cleantalk
Vulnerabilities and Security Researches

EventPrime – Events Calendar, Bookings and Tickets, CVE-2026-1655

CVE, Research URL

CVE-2026-1655

Home page URL

Security reports for EventPrime – Events Calendar, Bookings and Tickets

Application

EventPrime – Events Calendar, Bookings and Tickets

Published on
Feb 18, 2026
Research Description
The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_event_submission function accepting a user-controlled event_id parameter and updating the corresponding event post without enforcing ownership or capability checks. This makes it possible for authenticated (Customer+) attackers to modify posts created by administrators by manipulating the event_id parameter granted they can obtain a valid nonce.
Affected versions
max 4.2.8.5.
Status
vulnerable
Previous vulnerability researches
Verge3D Publishing and E-Commerce (CVE-2025-22709) , Jan 19, 2025
Verge3D Publishing and E-Commerce (CVE-2025-30833) , Apr 02, 2025
Verge3D Publishing and E-Commerce (CVE-2025-48241) , May 24, 2025
Verge3D Publishing and E-Commerce (CVE-2023-51421) , Jun 06, 2024
Verge3D Publishing and E-Commerce (CVE-2023-51420) , Jun 06, 2024
New vulnerability
TalkJS (CVE-2026-1055) , Apr 16, 2026
News Element Elementor Blog Magazine (CVE-2026-2284) , Apr 16, 2026
WPNakama – Fast and Simple Project Management Tool (CVE-2026-2495) , Apr 16, 2026
Advanced Custom Fields (ACF) (CVE-2026-4812) , Apr 16, 2026
Paid Videochat Turnkey Site – HTML5 PPV Live Webcams (CVE-2025-8899) , Apr 16, 2026