CVE-2026-45441

Vulnerability

Unauthenticated vulnerability in WpEvently (formerly Mage-EventPress) plugin for WordPress versions 5.3.3 and earlier. The exact nature of the flaw is not disclosed but it requires no authentication and is remotely exploitable. The vulnerability affects the plugin's handling of certain requests, allowing attackers to trigger unintended behavior. [1]

Exploitation

An attacker can send a specially crafted HTTP request to the WordPress site without any prior authentication. No user interaction or elevated privileges are required. Due to the unauthenticated nature and widespread applicability, exploits are known to be used in mass-exploit campaigns against thousands of sites. [1]

Impact

Successful exploitation leads to a compromise of the affected website. The CVSS score of 7.5 (High) indicates significant impact on confidentiality, integrity, or availability. Attackers may gain the ability to perform unauthorized actions that can result in data exposure, modification, or service disruption. The vulnerability is actively weaponized in automated attacks. [1]

Mitigation

The vendor has not released a fixed version as of the publication date. Immediate action recommended: update the plugin to a patched version once available. If unable to update, contact hosting provider or web developer for assistance. Since the vulnerability is being actively exploited, it may be added to known exploited vulnerabilities (KEV) catalog. [1]