CVE-2026-1657 is a vulnerability classified under CWE-862 (Missing Authorization) found in the EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress. The flaw arises because the plugin registers an AJAX action named upload_file_media as publicly accessible (nopriv-enabled) but fails to implement any authentication, authorization, or nonce verification mechanisms. Although the plugin generates a nonce, it does not verify it upon receiving requests, allowing unauthenticated attackers to invoke this AJAX endpoint. This endpoint facilitates uploading image files to the WordPress uploads directory and creating Media Library attachments. Since the upload functionality is exposed without restrictions, attackers can upload arbitrary image files, which might be leveraged to upload malicious payloads if combined with other vulnerabilities or misconfigurations. The vulnerability affects all versions up to 4.2.8.4 inclusive. The CVSS v3.1 base score is 5.3 (medium), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity (unauthorized file uploads) without direct confidentiality or availability impact. No known public exploits have been reported yet. The vulnerability was published on February 17, 2026, and was reserved on January 29, 2026. The lack of authentication and authorization checks on a publicly exposed upload endpoint represents a significant security oversight that could be exploited for website defacement, malware hosting, or as a foothold for further attacks.

For European organizations, especially those operating event management websites using WordPress with the EventPrime plugin, this vulnerability poses a risk of unauthorized file uploads. Attackers could upload malicious images or webshells, potentially leading to website defacement, data integrity compromise, or pivoting to deeper network intrusions. This could damage brand reputation, disrupt event operations, and expose sensitive customer data. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely and easily by attackers scanning for vulnerable sites. The impact is particularly critical for organizations handling large volumes of event bookings and ticket sales, where trust and uptime are essential. Additionally, regulatory compliance under GDPR may be affected if unauthorized access leads to personal data exposure or service disruption. Although the vulnerability does not directly impact confidentiality or availability, the integrity compromise and potential for chained attacks elevate the risk profile for affected entities.

1. Immediately restrict access to the ep_upload_file_media AJAX endpoint by implementing server-side access controls such as IP whitelisting or authentication requirements. 2. Disable or remove the EventPrime plugin if it is not essential or if updates are not yet available. 3. Monitor the WordPress uploads directory for unusual or unexpected files, especially those with executable content or suspicious metadata. 4. Implement Web Application Firewall (WAF) rules to detect and block unauthorized upload attempts targeting this endpoint. 5. Once a patched version of the plugin is released, promptly update to the fixed version to ensure nonce verification and proper authorization are enforced. 6. Conduct regular security audits of WordPress plugins and their AJAX endpoints to verify proper authentication and authorization controls. 7. Educate site administrators on the risks of publicly exposed AJAX actions and the importance of plugin updates. 8. Employ file integrity monitoring to detect unauthorized changes in the uploads directory. 9. Consider isolating the uploads directory with restrictive permissions to limit execution of uploaded files. 10. Review and harden WordPress security configurations, including disabling unnecessary AJAX actions and enforcing least privilege principles.