How is CVE-2026-42686 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker sends crafted HTTP requests to the publicly exposed WordPress instance. Authentication (required): A low-privilege account (subscriber level or equivalent) is sufficient; no administrative credentials are needed. Victim interaction (not-required): No victim action such as clicking a link or opening a file is needed for the attacker to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-42686?

An attacker can inject malicious scripts into the EventPrime plugin context, which execute in the browser of any user who loads the affected page. Integrity impact allows modification of page content visible to other users, enabling phishing lures or defacement of event listings. Availability impact is rated High, meaning the attacker can disrupt the affected service or cause it to become unresponsive for legitimate users. Confidentiality impact is rated None; the exploit does not directly expose stored data such as session tokens or user records through the CVSS-defined impact scope.

Back to search

HIGHCVE-2026-42686Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-42686: WordPress EventPrime plugin <= 4.3.2.1 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-42686?

This is a stored or reflected Cross-Site Scripting (XSS) vulnerability in the EventPrime WordPress plugin, affecting versions 4.3.2.1 and earlier. The vulnerability is reachable over the network and requires only a low-privilege (subscriber-level) account, with no victim interaction needed to trigger it. Successful exploitation allows an attacker to inject malicious scripts into the application, degrading availability significantly and enabling limited content tampering. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment upstream ships a fix.

Q: Is CVE-2026-42686 patched?

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Subscriber Cross Site Scripting (XSS) in EventPrime <= 4.3.2.1 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a stored or reflected Cross-Site Scripting (XSS) vulnerability in the EventPrime WordPress plugin, affecting versions 4.3.2.1 and earlier. The vulnerability is reachable over the network and requires only a low-privilege (subscriber-level) account, with no victim interaction needed to trigger it. Successful exploitation allows an attacker to inject malicious scripts into the application, degrading availability significantly and enabling limited content tampering. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-42686 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including Patchstack. Coverage extends to custom-built images that bundle the EventPrime plugin, not just official registry images.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.1 HIGH using its CVSS v3.1 vector and weighting findings against each customer environment's compliance policy. Routed alerts are available for delivery to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker sends crafted HTTP requests to the publicly exposed WordPress instance.
AuthenticationRequired
A low-privilege account (subscriber level or equivalent) is sufficient; no administrative credentials are needed.
Victim interactionNot required
No victim action such as clicking a link or opening a file is needed for the attacker to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

An attacker can inject malicious scripts into the EventPrime plugin context, which execute in the browser of any user who loads the affected page.
Integrity impact allows modification of page content visible to other users, enabling phishing lures or defacement of event listings.
Availability impact is rated High, meaning the attacker can disrupt the affected service or cause it to become unresponsive for legitimate users.
Confidentiality impact is rated None; the exploit does not directly expose stored data such as session tokens or user records through the CVSS-defined impact scope.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-42686 as of the publication date, the platform monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild automatically once a remediated version of EventPrime is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine, including network-policy isolation to restrict inbound access to WordPress installations, egress filtering to limit what injected scripts can reach, and feature-flag or plugin-disable configurations documented in the advisory. Where compliance policy permits, customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads within the standard SLA window once a fix version is confirmed, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes for those environments.

See how HarborGuard automates this

Affected packages

EventPrime / EventPrime
≤ 4.3.2.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

References

patchstack.com

Metrics

Get notified