Attack Vectors

CVE-2026-1655 is a Medium-severity issue (CVSS 4.3) affecting EventPrime – Events Calendar, Bookings and Tickets (slug: eventprime-event-calendar-management) in versions up to 4.2.8.4.

An attacker must be authenticated (Subscriber/Customer level or higher) and able to obtain a valid security token (nonce). With that in place, they can attempt to modify an event they do not own by manipulating the event_id parameter when submitting or saving event changes through the plugin’s frontend functionality.

This matters for organizations where many users have accounts (customers, members, partners, staff) and where events drive registrations, ticket revenue, and brand perception.

Security Weakness

The vulnerability is caused by missing authorization checks in the plugin’s handling of frontend event submissions. Specifically, the save_frontend_event_submission function accepts a user-controlled event_id and updates the corresponding event post without enforcing ownership or capability checks.

In practical terms, this creates an opportunity for an authenticated user to modify event posts created by administrators or other privileged users, as long as they can supply a valid nonce and target a real event ID.

Remediation: Update EventPrime to version 4.2.8.5 or a newer patched release.

Technical or Business Impacts

Content and brand risk: Unauthorized edits to event titles, descriptions, dates, locations, or messaging can lead to public-facing misinformation that undermines credibility and disrupts campaigns.

Revenue and operational disruption: If event details are altered, customers may miss events, request refunds, or abandon purchases—impacting ticket sales, registrations, and support workload.

Compliance and reporting exposure: Incorrect event information and altered records can complicate audit trails, internal approvals, and partner obligations—especially where marketing claims, accessibility commitments, or regulated disclosures are tied to event pages.

Risk management note: While the CVSS rating is Medium and the impact is limited to modification (no direct confidentiality loss noted), unauthorized content changes can still create outsized business damage during time-sensitive launches and promotions.

Similar Attacks

Unauthorized content modification has appeared in other widely reported WordPress-related issues, such as the WordPress core REST API content injection vulnerability (CVE-2017-5487), which enabled attackers to alter post content under certain conditions.