CVE-2026-39518: WordPress EventPrime plugin <= 4.3.0.0 - Insecure Direct Object References (IDOR) vulnerability
Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An Insecure Direct Object Reference (IDOR) vulnerability affects the EventPrime WordPress plugin at version 4.3.0.0 and earlier. The flaw is reachable over the network and requires only a low-privilege (subscriber-level) account, meaning any registered user on an affected WordPress site can exploit it. Successful exploitation gives an attacker read access to data they should not be authorized to view, and limited ability to modify records. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection capability is available across all HarborGuard environments: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against every customer image in connected registries and CI pipelines. Coverage extends to custom-built images that bundle the EventPrime plugin directly.
AvailableHarborGuard can score this finding at CVSS 7.1 (High, v3.1) and weight it against each customer environment's compliance policy to determine priority. Routing rules can direct the alert to the appropriate team inbox within each customer organization based on image ownership and severity thresholds.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-evaluates the advisory on each ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released by the EventPrime maintainers. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix is available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to reach the WordPress site via HTTP or HTTPS.
- AuthenticationRequired
A low-privilege account (subscriber level or equivalent registered user) is sufficient; no admin credentials are needed.
- Victim interactionNot required
No action from another user or administrator is needed to trigger the vulnerability.
- Attack complexityDetail
Exploitation is straightforward and condition-free; no race conditions or special environmental factors are required.
Blast Radius
- Reads event or booking records belonging to other users that the attacker is not authorized to access, such as private event details, attendee information, or reservation data.
- Makes limited unauthorized modifications to object records exposed through the direct reference, potentially altering bookings or event entries owned by other users.
- Does not affect service availability; the Availability impact is rated None in the CVSS vector.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-39518 is active and matches images containing EventPrime versions at or below 4.3.0.0 across all connected registries and pipelines. Because no upstream fix has been published as of the CVE publication date, HarborGuard monitors the Patchstack advisory and the EventPrime release feed on every ingest cycle. The moment a patched version ships, a rebuilt image becomes available; for customers who opt into auto-remediation, this triggers a rebuild, a regression test run, and a PR opened against affected workloads automatically. In the interim, compensating controls worth considering include restricting the WordPress site's authenticated endpoints behind additional network-policy rules, limiting subscriber-level registration if it is not required by the application, and using web application firewall rules to flag or block anomalous object-reference patterns on EventPrime routes.
- EventPrime / EventPrime≤ 4.3.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N