EUVD-2025-209001
GHSA-678w-hwfh-39xv
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.6.0.
Analysis
A missing authorization vulnerability exists in the Metagauss EventPrime event calendar management plugin for WordPress, classified as CWE-862 (Missing Authorization), that allows attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability affects EventPrime versions up to and including 4.2.6.0, enabling exploitation through incorrectly configured access control security levels. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2025-209001, suggesting active security community awareness, though KEV status and proof-of-concept availability remain unconfirmed from available intelligence.
Technical Context
EventPrime (cpe:2.3:a:metagauss:eventprime:*:*:*:*:*:*:*:*) is a WordPress plugin providing event calendar management functionality. The root cause is classified under CWE-862 (Missing Authorization), indicating that the application fails to enforce proper access control checks before allowing users to perform sensitive operations. This typically manifests as insufficient server-side validation of user permissions, where client-side restrictions or role-based access control (RBAC) logic is either absent, misconfigured, or bypassable. WordPress plugins are particularly susceptible to authorization flaws when they directly expose admin or privileged functionality without verifying the current user's capabilities via WordPress' native permission model (e.g., wp_current_user_can() checks). The incorrect configuration of security levels suggests the vulnerability may stem from default-permissive settings or logical errors in capability checks across multiple plugin endpoints.
Affected Products
Metagauss EventPrime (the WordPress event calendar management plugin) in all versions from initial release through version 4.2.6.0 is affected, as confirmed by CPE cpe:2.3:a:metagauss:eventprime:*:*:*:*:*:*:*:*. The ENISA EUVD database lists affected versions as 'EventPrime n/a ≤ 4.2.6.0'. The vulnerability was reported and documented by Patchstack in their WordPress plugin vulnerability database. Reference the detailed advisory at https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-6-0-broken-access-control-vulnerability for the most current patch status and version recommendations.
Remediation
Immediately upgrade EventPrime to a version released after 4.2.6.0 (patch version to be confirmed from vendor) by navigating to WordPress Plugins > Installed Plugins, selecting EventPrime, and clicking 'Update Now', or download the patched version directly from the plugin repository or vendor website. Verify the update in the Plugins menu to confirm the new version is active. Until a patch is applied, implement WordPress-level access controls by restricting plugin administrative pages to specific user roles via security plugins (e.g., Wordfence, Sucuri), disable the plugin if not actively in use, and audit event calendar endpoints for unexpected access. Monitor Patchstack and the official EventPrime changelog (https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management) for patch release notifications and apply updates within 24-48 hours of availability.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today