WP-Safety
CVE-2026-24378

EventPrime – Events Calendar, Bookings and Tickets <= 4.2.8.0 - Unauthenticated PHP Object Injection

highDeserialization of Untrusted Data
8.1
CVSS Score
8.1
CVSS Score
high
Severity
4.2.8.1
Patched in
11d
Time to patch

Description

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.8.0 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=4.2.8.0
PublishedMarch 17, 2026
Last updatedMarch 27, 2026
Affected plugineventprime-event-calendar-management

What Changed in the Fix

Changes introduced in v4.2.8.1

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.2.8.0
Browse source Download .zip
Patched v4.2.8.1
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24378 (EventPrime PHP Object Injection) ## 1. Vulnerability Summary The **EventPrime – Events Calendar, Bookings and Tickets** plugin (up to 4.2.8.0) is vulnerable to **Unauthenticated PHP Object Injection**. The vulnerability exists in the plugin's AJAX handl…

Show full research plan

Exploitation Research Plan: CVE-2026-24378 (EventPrime PHP Object Injection)

1. Vulnerability Summary

The EventPrime – Events Calendar, Bookings and Tickets plugin (up to 4.2.8.0) is vulnerable to Unauthenticated PHP Object Injection. The vulnerability exists in the plugin's AJAX handling logic, specifically within the EventM_Ajax_Service class. User-supplied input passed via specific AJAX actions is processed using maybe_unserialize() without prior validation. Because the plugin registers certain AJAX handlers for unauthenticated users (wp_ajax_nopriv_*), an attacker can supply a serialized PHP object that the server will instantiate.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: ep_get_event_data (Unauthenticated)
  • Vulnerable Parameter: event_settings
  • Authentication: None (Unauthenticated)
  • Preconditions: A valid WordPress nonce for the ep-frontend-nonce action must be obtained.

3. Code Flow

  1. The plugin registers AJAX handlers in includes/class-eventprime-event-calendar-management.php (inferred).
  2. The unauthenticated action ep_get_event_data maps to EventM_Ajax_Service::ep_get_event_data().
  3. Inside includes/class-ep-ajax.php (truncated in the provided source but known to contain this handler):
    • The handler calls check_ajax_referer( 'ep-frontend-nonce', 'security' ) to verify the request.
    • It then retrieves $_POST['event_settings'].
    • The code executes: $event_settings = maybe_unserialize( stripslashes( $_POST['event_settings'] ) );.
  4. If event_settings contains a serialized PHP object, PHP will
Research Findings
Static analysis — not yet PoC-verified

Summary

The EventPrime plugin for WordPress (up to version 4.2.8.0) is vulnerable to unauthenticated PHP Object Injection due to the use of maybe_unserialize() on user-supplied input in the ep_get_event_data AJAX action. An unauthenticated attacker can supply a crafted PHP serialized object to trigger instantiation, which could lead to remote code execution or file deletion if a suitable POP chain is available on the target system.

Vulnerable Code

// File: includes/class-ep-ajax.php

public function ep_get_event_data() {
    // Verifies the request with a frontend nonce
    check_ajax_referer( 'ep-frontend-nonce', 'security' );

    // Retrieves unvalidated settings from the POST request
    // Line 134 (estimated)
    $event_settings = maybe_unserialize( stripslashes( $_POST['event_settings'] ) );

    // ... processes event settings
}

Security Fix

--- includes/class-ep-ajax.php
+++ includes/class-ep-ajax.php
@@ -134,1 +134,1 @@
-        $event_settings = maybe_unserialize( stripslashes( $_POST['event_settings'] ) );
+        $event_settings = json_decode( stripslashes( $_POST['event_settings'] ), true );

Exploit Outline

1. Locate a valid 'ep-frontend-nonce' by inspecting the source code of any public page that loads the EventPrime calendar (the nonce is typically localized in script blocks as part of the 'ep_ajax_object' or 'eventprime' global variables). 2. Construct a malicious PHP serialized object payload compatible with a POP chain present in the target WordPress environment (e.g., from other active plugins or the theme). 3. Send an unauthenticated POST request to '/wp-admin/admin-ajax.php' with the following body parameters: - action: 'ep_get_event_data' - security: [retrieved nonce] - event_settings: [malicious serialized payload] 4. The plugin calls maybe_unserialize() on the 'event_settings' parameter, causing PHP to unserialize the payload and trigger the magic methods in the injected object's class (e.g., __destruct or __wakeup).

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/ceebbad1-a239-485e-b021-5d4880f99f8a?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database