High severity7.5NVD Advisory· Published Jun 2, 2026· Updated Jun 2, 2026

CVE-2026-42669

Description

EventPrime versions prior to 4.3.2.1 have a missing authorization vulnerability allowing unprivileged users to perform privileged actions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

EventPrime versions prior to 4.3.2.1 have a missing authorization vulnerability allowing unprivileged users to perform privileged actions.

Vulnerability

EventPrime versions from n/a through 4.3.2.0 contain a missing authorization vulnerability. This issue stems from incorrectly configured access control, specifically a missing authorization, authentication, or nonce token check within a function. This allows unprivileged users to execute actions typically reserved for higher-privileged users [1].

Exploitation

An attacker needs to be an unprivileged user on the affected system. They can then exploit this vulnerability by triggering a specific function that lacks proper access control checks, allowing them to perform actions they are not authorized to [1].

Impact

Successful exploitation allows an unprivileged user to execute higher-privileged actions. The available references indicate this has a low severity impact and is unlikely to be exploited, though the specific CIA triad outcomes are not detailed [1].

Mitigation

Update EventPrime to version 4.3.2.1 or later to resolve this vulnerability. If an update is not immediately possible, seek assistance from a hosting provider or web developer. Patchstack users can enable auto-updates for vulnerable plugins [1].

References

Broken Access Control in WordPress EventPrime Plugin

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Eventprime Event Calendar Managementinferred
Range: <=4.3.2.0
Package: https://wordpress.org/plugins/eventprime-event-calendar-management
WordPress/Eventprimellm-fuzzy
Range: <=4.3.2.0

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

patchstack.com/database/wordpress/plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-3-2-0-broken-access-control-vulnerabilitynvd

News mentions

WordPress: 25 Vulnerabilities Disclosed Together on June 2, 2026
Vypr Intelligence · Jun 2, 2026

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000