CVE-2026-39518

Vulnerability

The EventPrime plugin for WordPress (versions up to and including 4.3.0.0) contains an Insecure Direct Object References (IDOR) vulnerability. This flaw allows authenticated users with subscriber-level privileges to bypass authorization checks and access resources or data objects they should not be able to reach. The vulnerable code path is reachable by any logged-in subscriber, without requiring any additional conditions or configuration [1].

Exploitation

An attacker needs only a valid subscriber account on the target WordPress site. By manipulating object identifiers in requests (such as database record IDs or file references) the attacker can enumerate or access resources belonging to other users. No special network position or user interaction beyond being authenticated as a subscriber is required. The attack does not depend on a race window or specific timing [1].

Impact

Successful exploitation leads to unauthorized reading of sensitive information, such as private event details, attendee data, or other subscribers' personal information. The impact is primarily on confidentiality, and the attacker gains access to data within the scope of the EventPrime plugin's functionality that should be restricted to higher-privileged users [1].

Mitigation

The vulnerability is fixed in version 4.3.0.1. Users should update immediately to that version or later. Patchstack also provides a virtual mitigation rule to block attack attempts for sites that cannot update right away. No other workarounds have been published. There is no indication this CVE is listed in CISA's Known Exploited Vulnerabilities catalog [1].