CVE-2026-1657

MEDIUM 5.3

EventPrime <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.

CWE	CWE-862
Vendor	metagauss
Product	eventprime – events calendar, bookings and tickets
Published	Feb 17, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for metagauss eventprime – events calendar, bookings and tickets

Be the first to know when new medium vulnerabilities affecting metagauss eventprime – events calendar, bookings and tickets are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

metagauss / EventPrime – Events Calendar, Bookings and Tickets

0 ≤ 4.2.8.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Tharadol Suksamran