cleantalk
Vulnerabilities and Security Researches

EventPrime – Events Calendar, Bookings and Tickets, CVE-2026-1657

CVE, Research URL

CVE-2026-1657

Home page URL

Security reports for EventPrime – Events Calendar, Bookings and Tickets

Application

EventPrime – Events Calendar, Bookings and Tickets

Published on
Feb 17, 2026
Research Description
The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.
Affected versions
max 4.2.8.5.
Status
vulnerable
Previous vulnerability researches
Verge3D Publishing and E-Commerce (CVE-2025-22709) , Jan 19, 2025
Verge3D Publishing and E-Commerce (CVE-2025-30833) , Apr 02, 2025
Verge3D Publishing and E-Commerce (CVE-2025-48241) , May 24, 2025
Verge3D Publishing and E-Commerce (CVE-2023-51421) , Jun 06, 2024
Verge3D Publishing and E-Commerce (CVE-2023-51420) , Jun 06, 2024
New vulnerability
TalkJS (CVE-2026-1055) , Apr 16, 2026
News Element Elementor Blog Magazine (CVE-2026-2284) , Apr 16, 2026
WPNakama – Fast and Simple Project Management Tool (CVE-2026-2495) , Apr 16, 2026
Advanced Custom Fields (ACF) (CVE-2026-4812) , Apr 16, 2026
Paid Videochat Turnkey Site – HTML5 PPV Live Webcams (CVE-2025-8899) , Apr 16, 2026