CVE-2026-1657 in EventPrime Plugin
Summary
by MITRE • 02/17/2026
The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2026-1657 affects the EventPrime plugin for WordPress, presenting a critical security flaw that allows unauthorized file uploads. This issue exists in all versions up to and including 4.2.8.4, making it a widespread concern for WordPress installations that utilize this plugin. The vulnerability stems from improper access control implementation within the plugin's AJAX handling mechanism, specifically in the upload_file_media action which is registered as publicly accessible without adequate security measures.
The technical flaw manifests through the plugin's registration of the ep_upload_file_media endpoint as nopriv-enabled, meaning it accepts requests without requiring user authentication. While the plugin does generate a nonce for the upload process, this nonce is never verified during the file upload operation, creating a significant security gap. This design flaw allows any unauthenticated attacker to exploit the endpoint and upload image files directly to the WordPress uploads directory. The vulnerability is classified as a weakness in authorization and authentication controls, aligning with CWE-285 which addresses insufficient authorization issues in software systems.
The operational impact of this vulnerability is substantial, as it enables attackers to gain persistent access to the target WordPress installation through media file uploads. Once an attacker successfully uploads malicious image files, they can create Media Library attachments that become part of the site's media collection, potentially allowing for further exploitation such as hosting malicious content or using the uploaded files as a foothold for additional attacks. This vulnerability directly enables the ATT&CK technique T1566.001, which involves the use of malicious file uploads for initial access and persistence within target environments. The ability to create Media Library entries also provides attackers with a method to maintain access and potentially exfiltrate data through the legitimate media handling mechanisms of the WordPress platform.
Mitigation strategies should focus on immediate plugin updates to versions that address this vulnerability, as well as implementing additional security controls such as restricting access to AJAX endpoints through firewall rules or web application firewalls. Administrators should also consider implementing proper authentication checks for all file upload endpoints and ensuring that nonces are properly validated. The recommended approach includes disabling unused AJAX actions, implementing rate limiting for upload operations, and conducting regular security audits of plugin configurations to prevent similar vulnerabilities from being exploited in other components of the WordPress ecosystem.