CVE-2026-1657

🗓️ 17 Feb 2026 05:29:53Reported by WordfenceType

cve🔗 web.nvd.nist.gov👁 20 Views🌐 WEB

EventPrime up to 4.2.8.4 permits image uploads without authentication via ep_upload_file_media.

Reporter	Title	Published	Views	Family All 13
GithubExploit	Exploit for CVE-2026-1657	9 Apr 202617:53	–	githubexploit
GithubExploit	Exploit for CVE-2026-1657	28 Mar 202608:30	–	githubexploit
ATTACKERKB	CVE-2026-1657	17 Feb 202605:29	–	attackerkb
Circl	CVE-2026-1657	28 Mar 202611:00	–	circl
CNNVD	WordPress plugin EventPrime 安全漏洞	17 Feb 202600:00	–	cnnvd
Cvelist	CVE-2026-1657 EventPrime <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint	17 Feb 202605:29	–	cvelist
NVD	CVE-2026-1657	17 Feb 202606:16	–	nvd
Packet Storm	📄 WordPress EventPrime 4.2.8.1 Arbitrary File Upload	10 Apr 202600:00	–	packetstorm
Patchstack	WordPress EventPrime plugin <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint vulnerability	16 Feb 202622:54	–	patchstack
Positive Technologies	PT-2026-8398	17 Feb 202600:00	–	ptsecurity

Vulners

Node

metagauss eventprime_events_calendar,_bookings_and_ticketsRange≤4.2.8.4wordpress

[
  {
    "vendor": "metagauss",
    "product": "EventPrime – Events Calendar, Bookings and Tickets",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "4.2.8.4",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-eventprime-event-calendar-management.php
plugins	www.plugins.trac.wordpress.org/changeset
plugins	www.plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-eventprime-event-calendar-management.php
plugins	www.plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/trunk/includes/class-ep-ajax.php
plugins	www.plugins.trac.wordpress.org/browser/eventprime-event-calendar-management/tags/4.2.8.1/includes/class-ep-ajax.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/42aa82ff-0d37-4040-b8fc-84d29534a4b7

Parameter	Position	Path	Description	CWE
action	request body	/wp-admin/admin-ajax.php?action=ep_upload_file_media	Unauthenticated arbitrary file upload via ep_upload_file_media AJAX endpoint exposed publicly due to nopriv; accepts file via multipart form-data.	CWE-862
file	request body	/wp-admin/admin-ajax.php?action=ep_upload_file_media	Unauthenticated arbitrary file upload via ep_upload_file_media AJAX endpoint exposed publicly due to nopriv; accepts file via multipart form-data.	CWE-862

17 Jun 2026 10:16Current

5.5Medium risk

Vulners AI Score5.5

CVSS 3.15.3

EPSS0.00379

SSVC

CWE-862