What is the CVSS score of CVE-2026-39518?

CVE-2026-39518 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.3%.

Which versions of EventPrime are affected by CVE-2026-39518?

EventPrime WordPress plugin (versions up to 4.3.0.0) contains an access control flaw allowing basic subscriber accounts to view and modify event records belonging to other users, creating significant…

How to fix or mitigate CVE-2026-39518?

Within 24 hours: Identify all WordPress installations running EventPrime and confirm current plugin versions; assess whether open subscriber registration is enabled and estimate the volume and sensitivity of event records exposed to unauthorized access. Within 7 days: Restrict Subscriber role capabilities to prevent access to event records; implement role-based access controls enforcing that users can only view/modify their own event records; enable detailed audit logging of all event record access and modifications. Within 30 days: Monitor vendor and Patchstack advisory channels for patch availability; upon patch release, plan and execute urgent deployment to all affected installations; review access logs for signs of unauthorized event record access.

EventPrime CVE-2026-39518

EUVD-2026-36955 HIGH

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-06-15 Patchstack

GHSA-fgrh-26m2-w86v

Authentication Bypass Eventprime

7.1

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

vuln.today AI

7.1 HIGH

Network-reachable WordPress endpoint, no user interaction, requires a Subscriber account (PR:L); IDOR exposes others' records (C:H) with limited write/tamper (I:L) and no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 22:21 vuln.today

DescriptionCVE.org

Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions.

AnalysisAI

Insecure direct object reference in the EventPrime WordPress plugin (versions up to and including 4.3.0.0) allows authenticated users holding only the low-privilege Subscriber role to access or manipulate event records belonging to other users by tampering with object identifiers. The flaw was disclosed by Patchstack and carries CVSS 7.1 reflecting high confidentiality impact with limited integrity impact, but no public exploit identified at time of analysis and no CISA KEV listing. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Delivery

Authenticate to obtain WordPress session cookie

Exploit

Call vulnerable EventPrime endpoint with target object ID

Execution

Enumerate IDs to bypass authorization check

Impact

Exfiltrate or tamper with other users' event records

Access

Delivery

Authenticate to obtain WordPress session cookie

Exploit

Call vulnerable EventPrime endpoint with target object ID

Execution

Enumerate IDs to bypass authorization check

Impact

Exfiltrate or tamper with other users' event records

Vulnerability AssessmentAI

Exploitation	Attacker must hold a valid authenticated session at the Subscriber role or higher on a WordPress site with EventPrime ≤ 4.3.0.0 installed and activated (PR:L from the CVSS vector), and must be able to reach the plugin's HTTP endpoints over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N indicates a remotely reachable, low-complexity flaw exploitable by any authenticated account with no user interaction, yielding high confidentiality loss and limited integrity tampering - consistent with cross-tenant data exposure rather than full takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers a free Subscriber account on a WordPress site running EventPrime (or uses an existing low-privilege account), then sends an authenticated request to a vulnerable plugin endpoint while iterating the event, booking, or attendee ID parameter. Because the endpoint does not verify ownership of the referenced object, the server returns or modifies records belonging to other users, exposing attendee personal data, private bookings, or organizer details. …
Remediation	Upstream fix available per Patchstack advisory; a released patched version is not independently confirmed in the provided data, so administrators should update EventPrime to the latest release above 4.3.0.0 published on the WordPress.org plugin repository and verify the changelog references this IDOR fix (Patchstack advisory: https://patchstack.com/database/wordpress/plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-3-0-0-insecure-direct-object-references-idor-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running EventPrime and confirm current plugin versions; assess whether open subscriber registration is enabled and estimate the volume and sensitivity of event records exposed to unauthorized access. …

Threat intelligence, references, and detailed analysis are available after sign-in.