PatchSiren cyber security CVE debrief
CVE-2026-39518 EventPrime CVE debrief
CVE-2026-39518 is a HIGH-severity vulnerability in EventPrime, a WordPress plugin for event calendar management. The vulnerability, published on 2026-06-15T21:16:46.333Z and last modified on 2026-06-15T21:24:32.790Z, has a CVSS score of 7.1. It is classified as an Insecure Direct Object References (IDOR) vulnerability, which could allow attackers to access sensitive data or perform unauthorized actions. The vulnerability affects EventPrime versions up to and including 4.3.0.0.
- Vendor
- EventPrime
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of EventPrime plugin for WordPress, particularly those with subscriber roles, should be aware of this vulnerability. It is recommended to update to a patched version of the plugin as soon as possible.
Technical summary
The vulnerability is caused by inadequate access control in the EventPrime plugin, allowing subscribers to access or manipulate objects they should not have access to. This could lead to unauthorized data exposure or modification.
Defensive priority
HIGH
Recommended defensive actions
- Update EventPrime to a version that fixes the IDOR vulnerability.
- Review and restrict access controls for subscriber roles in WordPress.
- Monitor for suspicious activity related to event calendar management.
Evidence notes
The CVE was published by the National Vulnerability Database (NVD) and details were provided by Patchstack.
Official resources
-
CVE-2026-39518 CVE record
CVE.org
-
CVE-2026-39518 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39518 was published on 2026-06-15T21:16:46.333Z and last modified on 2026-06-15T21:24:32.790Z.