Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total8
Critical0
High1
Medium7
Reset
Showing 1-8 of 8 records
Threat Entry Updated 2026-04-15

CVE-2026-1655 - Eventprime Event Calendar Management Plugin

The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_event_submission function accepting a user-controlled event_id parameter and updating the corresponding event post without enforcing ownership or capability checks. This makes it possible for authenticated (Customer+) attackers to modify posts created by administrators by manipulating the event_id parameter granted they can obtain a valid nonce.

PLUGIN Eventprime Event Calendar Management

CVE-2026-1655

MEDIUM CVSS 4.3 2026-02-18
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1657 - Eventprime Event Calendar Management Plugin

The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.

PLUGIN Eventprime Event Calendar Management

CVE-2026-1657

MEDIUM CVSS 5.3 2026-02-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-14507 - Eventprime Event Calendar Management Plugin

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0.

PLUGIN Eventprime Event Calendar Management

CVE-2025-14507

MEDIUM CVSS 5.3 2026-01-13
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-12498 - Eventprime Event Calendar Management Plugin

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized booking note creation due to a missing capability check on the 'booking_add_notes' function in all versions up to, and including, 4.2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add a note to the backend view of any booking.

PLUGIN Eventprime Event Calendar Management

CVE-2025-12498

MEDIUM CVSS 4.3 2025-11-08
Open Full Technical Breakdown
Threat Entry Updated 2025-08-12

CVE-2024-13526 - Eventprime Event Calendar Management Plugin

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the export_submittion_attendees function in all versions up to, and including, 4.0.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download list of attendees for any event.

PLUGIN Eventprime Event Calendar Management

CVE-2024-13526

MEDIUM CVSS 4.3 2025-03-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-10

CVE-2024-12024 - Eventprime Event Calendar Management Plugin

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the em_ticket_category_data and em_ticket_individual_data parameters in all versions up to, and including, 4.0.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page. Note: this vulnerability requires the "Guest Submissions" setting to be enabled. It is disabled by default.

PLUGIN Eventprime Event Calendar Management

CVE-2024-12024

HIGH CVSS 7.2 2024-12-17
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-8369 - Eventprime Event Calendar Management Plugin

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorization checks in all versions up to, and including, 4.0.4.3. This makes it possible for unauthenticated attackers to view private or password-protected events.

PLUGIN Eventprime Event Calendar Management

CVE-2024-8369

MEDIUM CVSS 5.3 2024-09-10
Open Full Technical Breakdown
Threat Entry Updated 2025-01-15

CVE-2024-1127 - Eventprime Event Calendar Management Plugin

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the booking_export_all() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve all event booking which can contain PII.

PLUGIN Eventprime Event Calendar Management

CVE-2024-1127

MEDIUM CVSS 4.3 2024-03-13
Open Full Technical Breakdown
Scroll to top