Platform
wordpress
Component
mage-eventpress
Fixed in
5.1.2
CVE-2026-24942 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in the WpEvently WordPress plugin developed by magepeopleteam. This flaw allows an attacker to potentially execute unauthorized actions on a user's behalf if they are logged into a site using the vulnerable plugin. The vulnerability affects versions of WpEvently from 0.0.0 up to and including 5.1.1, and a patch is available in version 5.1.2.
A successful CSRF attack could allow an attacker to modify settings, create or delete content, or perform other actions as the logged-in user. The impact is directly proportional to the user's privileges within the WordPress site. For example, an administrator account compromised via CSRF could lead to complete site takeover. This vulnerability is particularly concerning because CSRF attacks are often difficult for users to detect, as they may unknowingly be tricked into clicking malicious links or visiting compromised websites. The attacker needs to trick the user into performing the action, but does not need to know their password.
CVE-2026-24942 was publicly disclosed on 2026-02-03. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 4.3 (MEDIUM) indicates a moderate risk. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24942 is to immediately upgrade the WpEvently plugin to version 5.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) with CSRF protection rules. These rules can help block malicious requests by verifying the presence and validity of CSRF tokens. Additionally, review and strengthen WordPress user permissions to limit the potential impact of a successful CSRF attack. Regularly audit WordPress plugins for vulnerabilities and keep all plugins and themes updated.
Update to version 5.1.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24942 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions 0.0.0–5.1.1 of the WpEvently WordPress plugin, allowing attackers to perform unauthorized actions.
You are affected if you are using WpEvently version 0.0.0 through 5.1.1. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the WpEvently plugin to version 5.1.2 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-24942, but vigilance is still advised.
Refer to the magepeopleteam website or WordPress plugin repository for the official advisory and update information regarding CVE-2026-24942.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.