Eventprime
Monthly
Unauthenticated PHP Object Injection in the EventPrime event calendar plugin for WordPress (versions <= 4.3.2.1) allows remote attackers to inject crafted serialized PHP objects that may trigger arbitrary deserialization-driven gadget chains, leading to potential remote code execution, file manipulation, or data tampering. The flaw is reachable without authentication but carries CVSS:3.1 AC:H, indicating non-trivial preconditions for successful exploitation. No public exploit identified at time of analysis, but Patchstack disclosure typically precedes broader exploit development against the WordPress plugin ecosystem.
Stored or reflected cross-site scripting in the EventPrime WordPress plugin (versions <= 4.3.2.1) allows authenticated users with Subscriber-level privileges to inject malicious JavaScript that executes in other users' browsers. The flaw was disclosed by Patchstack and currently has no public exploit identified at time of analysis, but the low privilege bar makes it attractive for opportunistic attackers on multi-user WordPress sites. No CISA KEV listing or EPSS data was supplied with this report.
Insecure direct object reference in the EventPrime WordPress plugin (versions up to and including 4.3.0.0) allows authenticated users holding only the low-privilege Subscriber role to access or manipulate event records belonging to other users by tampering with object identifiers. The flaw was disclosed by Patchstack and carries CVSS 7.1 reflecting high confidentiality impact with limited integrity impact, but no public exploit identified at time of analysis and no CISA KEV listing. Because WordPress sites frequently allow open subscriber registration, the low PR:L barrier is practically trivial to clear on affected installations.
Broken access control in the EventPrime WordPress plugin (versions up to and including 4.3.2.0) allows unauthenticated remote attackers to modify or tamper with data due to incorrectly configured access control security levels. The flaw, reported by Patchstack and tracked as CWE-862 (Missing Authorization), carries a CVSS 3.1 base score of 7.5 with an integrity-only impact; no public exploit identified at time of analysis.
This is a PHP Object Injection vulnerability in the Metagauss EventPrime WordPress plugin (eventprime-event-calendar-management) caused by unsafe deserialization of untrusted data. All versions up to and including 4.2.8.0 are affected, allowing attackers to inject malicious serialized objects that can lead to remote code execution or arbitrary actions depending on available PHP gadget chains. The vulnerability has been publicly disclosed and documented by Patchstack; exploitation likelihood and real-world impact depend on the presence of exploitable gadget chains in the target WordPress environment.
A missing authorization vulnerability exists in the Metagauss EventPrime event calendar management plugin for WordPress, classified as CWE-862 (Missing Authorization), that allows attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability affects EventPrime versions up to and including 4.2.6.0, enabling exploitation through incorrectly configured access control security levels. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2025-209001, suggesting active security community awareness, though KEV status and proof-of-concept availability remain unconfirmed from available intelligence.
EventPrime versions through 4.2.8.3 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The flaw enables integrity compromise without requiring authentication or user interaction, affecting all installations of the affected versions. No patch is currently available.
The EventPrime WordPress plugin before 3.5.0 does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the export_submittion_attendees function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unauthenticated PHP Object Injection in the EventPrime event calendar plugin for WordPress (versions <= 4.3.2.1) allows remote attackers to inject crafted serialized PHP objects that may trigger arbitrary deserialization-driven gadget chains, leading to potential remote code execution, file manipulation, or data tampering. The flaw is reachable without authentication but carries CVSS:3.1 AC:H, indicating non-trivial preconditions for successful exploitation. No public exploit identified at time of analysis, but Patchstack disclosure typically precedes broader exploit development against the WordPress plugin ecosystem.
Stored or reflected cross-site scripting in the EventPrime WordPress plugin (versions <= 4.3.2.1) allows authenticated users with Subscriber-level privileges to inject malicious JavaScript that executes in other users' browsers. The flaw was disclosed by Patchstack and currently has no public exploit identified at time of analysis, but the low privilege bar makes it attractive for opportunistic attackers on multi-user WordPress sites. No CISA KEV listing or EPSS data was supplied with this report.
Insecure direct object reference in the EventPrime WordPress plugin (versions up to and including 4.3.0.0) allows authenticated users holding only the low-privilege Subscriber role to access or manipulate event records belonging to other users by tampering with object identifiers. The flaw was disclosed by Patchstack and carries CVSS 7.1 reflecting high confidentiality impact with limited integrity impact, but no public exploit identified at time of analysis and no CISA KEV listing. Because WordPress sites frequently allow open subscriber registration, the low PR:L barrier is practically trivial to clear on affected installations.
Broken access control in the EventPrime WordPress plugin (versions up to and including 4.3.2.0) allows unauthenticated remote attackers to modify or tamper with data due to incorrectly configured access control security levels. The flaw, reported by Patchstack and tracked as CWE-862 (Missing Authorization), carries a CVSS 3.1 base score of 7.5 with an integrity-only impact; no public exploit identified at time of analysis.
This is a PHP Object Injection vulnerability in the Metagauss EventPrime WordPress plugin (eventprime-event-calendar-management) caused by unsafe deserialization of untrusted data. All versions up to and including 4.2.8.0 are affected, allowing attackers to inject malicious serialized objects that can lead to remote code execution or arbitrary actions depending on available PHP gadget chains. The vulnerability has been publicly disclosed and documented by Patchstack; exploitation likelihood and real-world impact depend on the presence of exploitable gadget chains in the target WordPress environment.
A missing authorization vulnerability exists in the Metagauss EventPrime event calendar management plugin for WordPress, classified as CWE-862 (Missing Authorization), that allows attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability affects EventPrime versions up to and including 4.2.6.0, enabling exploitation through incorrectly configured access control security levels. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2025-209001, suggesting active security community awareness, though KEV status and proof-of-concept availability remain unconfirmed from available intelligence.
EventPrime versions through 4.2.8.3 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data through improperly configured access controls. The flaw enables integrity compromise without requiring authentication or user interaction, affecting all installations of the affected versions. No patch is currently available.
The EventPrime WordPress plugin before 3.5.0 does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the export_submittion_attendees function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.