CVE-2026-45441: WordPress WpEvently plugin <= 5.3.3 - Other Vulnerability Type vulnerability
Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated integrity-impacting vulnerability affects the WpEvently WordPress plugin at version 5.3.3 and earlier, developed by Magepeople Inc. The flaw is reachable over the network with no credentials or user interaction required, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation gives an attacker the ability to tamper with or modify data on the affected WordPress site without authentication. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.
HarborGuard Coverage
Detection capability for CVE-2026-45441 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, covering both third-party and custom-built images that bundle the WpEvently plugin. Any image containing WpEvently at version 5.3.3 or earlier is flagged automatically in connected registries and CI pipelines.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting that score against each environment's compliance policy to reflect the actual risk exposure for that deployment context. Triage routing is available to direct alerts to the appropriate team inbox within each customer organization based on policy configuration.
AvailableBecause no upstream fix version has been published for CVE-2026-45441, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Magepeople Inc. ships a remediated release. Customers with auto-remediation enabled will have a rebuild, regression run, and PR opened against affected workloads as soon as a fix version becomes available upstream.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected WordPress service over the network; no local access or physical proximity is needed.
- AuthenticationNot required
No credentials of any privilege level are required to exploit this vulnerability.
- Victim interactionNot required
No action from a site user or administrator is needed for the attack to succeed.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions or special environmental setup to land.
Blast Radius
- An attacker can write or modify data on the affected WordPress site without holding any account.
- Site content, configuration records, or plugin-managed event data can be tampered with directly through the vulnerability.
- The confidentiality of stored data is not affected by this vulnerability, and service availability is not disrupted.
How HarborGuard Handles This
Available on HarborGuard: images containing WpEvently at or below version 5.3.3 are flagged as soon as the CVE enters the ingest pipeline. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published. In the interim, customers can apply compensating controls through HarborGuard network policies, such as restricting external HTTP access to WordPress admin and plugin endpoints, applying egress filtering on affected containers, or gating WpEvently functionality via feature-flag configuration where the application supports it. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be triggered automatically once an upstream fix is available, with median time from CVE publication to merged patch PR for high-severity issues running around 90 minutes in qualifying environments.
- Magepeople inc. / WpEvently≤ 5.3.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N