CVE-2026-1655 is a missing authorization vulnerability (CWE-862) in the EventPrime – Events Calendar, Bookings and Tickets WordPress plugin developed by metagauss. The vulnerability exists in all versions up to and including 4.2.8.4. The root cause is the save_frontend_event_submission function, which processes event updates on the frontend. This function accepts an event_id parameter controlled by the user and updates the corresponding event post without verifying if the authenticated user owns the event or has the necessary capabilities to modify it. Although the attacker must be authenticated with at least Customer+ privileges and possess a valid nonce, no further user interaction is required. This allows an attacker to modify event posts created by administrators or other users, compromising the integrity of event data. The CVSS v3.1 base score is 4.3 (medium severity), reflecting the low impact on confidentiality and availability but moderate impact on integrity. The attack vector is network-based with low attack complexity and requires privileges but no user interaction. No patches or known exploits are currently available, so the vulnerability remains unmitigated in affected versions. This flaw could be leveraged to alter event details, potentially misleading attendees or disrupting event operations.

For European organizations, particularly those relying on WordPress and the EventPrime plugin for managing events, bookings, and tickets, this vulnerability poses a risk to the integrity of event-related data. Unauthorized modification of event posts could lead to misinformation, scheduling conflicts, or fraudulent event details, damaging organizational reputation and trust. In sectors such as education, government, cultural institutions, and corporate event management, this could disrupt operations and stakeholder communications. While the vulnerability does not directly impact confidentiality or availability, the integrity compromise could have cascading effects on business processes and user trust. Attackers with Customer+ privileges could exploit this to manipulate events without detection if monitoring is insufficient. The lack of patches increases exposure time, necessitating immediate compensatory controls. Organizations with high event management activity and public-facing event calendars are at greater risk.

Until an official patch is released, European organizations should implement strict access controls to limit Customer+ privileges to trusted users only. Review and tighten user role assignments in WordPress to minimize the number of users with elevated permissions. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to manipulate the event_id parameter. Enable detailed logging and monitoring of event post modifications to quickly identify unauthorized changes. Consider temporarily disabling frontend event submission features if feasible or restricting them to verified users. Conduct regular audits of event content integrity and verify nonce validation mechanisms are robust. Engage with the plugin vendor for updates and apply patches promptly once available. Additionally, educate users about the risk and encourage reporting of suspicious event modifications.