CVE-2026-42669: WordPress EventPrime plugin <= 4.3.2.0 - Broken Access Control vulnerability
Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventPrime: from n/a through 4.3.2.0.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A broken access control vulnerability affects the WordPress EventPrime plugin at version 4.3.2.0 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed, meaning any remote party can trigger it directly. Successful exploitation gives an attacker full write access to data controlled by the plugin, enabling unauthorized creation, modification, or deletion of event-related content. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as one is released.
HarborGuard Coverage
Detection for CVE-2026-42669 is available across every HarborGuard environment. The CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against all customer images, including custom-built images that bundle the EventPrime plugin.
AvailableHarborGuard is capable of scoring this vulnerability at CVSS 7.5 (HIGH) and applying per-environment compliance policy weighting to prioritize it appropriately. Triage routing to the right team inbox inside each customer organization is available based on image ownership and policy configuration.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream fix ships. In the interim, compensating controls such as network-policy isolation for WordPress workloads are surfaced within the platform for environments where policy permits their application.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via HTTP or HTTPS.
- AuthenticationNot required
No account or session credential of any kind is needed to exploit this vulnerability.
- Victim interactionNot required
The attack completes without any action from an existing user or administrator of the site.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental prerequisites.
Blast Radius
- An unauthenticated attacker can write, modify, or delete event and booking data managed by the EventPrime plugin.
- Integrity of scheduled events, registrations, and plugin-persisted configuration records is fully compromised.
- No confidentiality or availability impact is indicated, so data exfiltration and service disruption are not direct outcomes of this vulnerability alone.
How HarborGuard Handles This
Available on HarborGuard: detection for this vulnerability is matched against images as soon as the advisory is ingested, with no gap for custom images that include the EventPrime plugin. Because no patched version has been published by the upstream maintainer, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment a fix version is available. While no patch exists, compensating controls are worth considering: restricting network access to WordPress instances via Kubernetes network policy, enabling egress filtering on plugin API endpoints where feasible, and auditing WordPress user and REST API access controls to limit the plugin's exposed attack surface. These suggestions are available as advisory guidance within the HarborGuard platform for environments where compliance policy permits their application.
- EventPrime / EventPrime≤ 4.3.2.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N