{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25312", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:20:39.016Z", "datePublished": "2026-03-19T07:20:59.799Z", "dateUpdated": "2026-04-01T16:00:41.918Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "eventprime-event-calendar-management", "product": "EventPrime", "vendor": "Metagauss", "versions": [{"changes": [{"at": "4.2.8.4", "status": "unaffected"}], "lessThanOrEqual": "4.2.8.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Dr. M Fahad Khan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:04.866Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects EventPrime: from n/a through <= 4.2.8.3.</p>"}], "value": "Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.8.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T16:00:41.918Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-8-3-payment-bypass-vulnerability?_s_id=cve"}], "title": "WordPress EventPrime plugin <= 4.2.8.3 - Payment Bypass vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T14:02:46.398643Z", "id": "CVE-2026-25312", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:03:06.409Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25312", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T14:02:46.398643Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:02:56.320Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress EventPrime plugin <= 4.2.8.3 - Payment Bypass vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Dr. M Fahad Khan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "EventPrime", "product": "EventPrime", "versions": [{"status": "affected", "changes": [{"at": "4.2.8.4", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "4.2.8.3"}], "packageName": "eventprime-event-calendar-management", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress EventPrime Plugin to the latest available version (at least 4.2.8.4).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress EventPrime Plugin to the latest available version (at least 4.2.8.4).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-8-3-payment-bypass-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through 4.2.8.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects EventPrime: from n/a through 4.2.8.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T07:20:59.799Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25312", "state": "PUBLISHED", "dateUpdated": "2026-03-19T14:03:06.409Z", "dateReserved": "2026-02-02T12:20:39.016Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T07:20:59.799Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.8.3."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en EventPrime permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a EventPrime: desde n/a hasta 4.2.8.3."}], "id": "CVE-2026-25312", "lastModified": "2026-04-01T17:28:35.317", "metrics": {}, "published": "2026-03-19T08:16:18.940", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-8-3-payment-bypass-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.2.8.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[4.2.8.4,*]"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "EventPrime", "source": "cna", "vendor": "EventPrime"}, "product": "eventprime", "vendor": "theeventprime"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T08:20:35.809963+00:00", "value": {"mitigation_remediation": ["Update the WordPress EventPrime Plugin to the latest available version (at least 4.2.8.4)."], "summary": {"action": "Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The issue affects the EventPrime WordPress plugin for Event Calendar Management, from the earliest released version through version 4.2.8.3. Users who have not upgraded to 4.2.8.4 or later are susceptible. No other versions or products are explicitly listed as affected. ", "description_and_impact": "The vulnerability is a missing authorization flaw that lets an attacker exploit incorrectly configured access control levels. This allows an unauthorized user to bypass payment controls and artificially trigger or manipulate payment functionality within the EventPrime plugin. It is classified as CWE-862, reflecting unauthorized read or modification of data. The primary impact is loss of confidentiality and integrity of payment processing, potentially allowing fraudulent transactions. ", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high severity. An exploit is feasible through misconfigured access controls, most likely via remote web interactions with the plugin. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Consequently, an attacker with access to the WordPress admin interface or with the ability to execute code on the server could abuse this flaw, leading to unauthorized payment transactions and potential financial loss."}}}}, "created": "2026-03-19T08:54:27.965580+00:00", "updated": "2026-03-20T14:15:42.081035+00:00", "vendors": ["theeventprime", "theeventprime$PRODUCT$eventprime", "wordpress", "wordpress$PRODUCT$wordpress"]}