[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzrnb8uMDGCr7JY3SPcAWItjEqz5r_rCFKQoSesy8p9Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-42687","eventprime-events-calendar-bookings-and-tickets-unauthenticated-php-object-injection-2","EventPrime – Events Calendar, Bookings and Tickets \u003C= 4.3.2.1 - Unauthenticated PHP Object Injection","The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.3.2.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","eventprime-event-calendar-management",null,"\u003C=4.3.2.1","4.3.2.2","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-05-25 00:00:00","2026-06-01 16:34:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe5be210c-9116-4529-90e3-70625a0c40ce?source=api-prod",8,[22,23,24,25,26,27,28],"admin\u002Fjs\u002Fep-admin-license.js","event-prime.php","includes\u002Fclass-ep-ajax.php","includes\u002Fclass-eventprime-functions.php","includes\u002Fclass-eventprime-license.php","public\u002Fpartials\u002Fthemes\u002Fdefault\u002Ffrontend-submission\u002Forganizers.php","readme.txt","researched",false,3,"This vulnerability research plan focuses on identifying and exploiting an unauthenticated PHP Object Injection vulnerability in the **EventPrime** plugin. Based on the provided source code and vulnerability description, the flaw resides in the use of `maybe_unserialize()` on untrusted data.\n\n### 1. Vulnerability Summary\nThe **EventPrime** plugin (up to 4.3.2.1) uses `maybe_unserialize()` on data that can be influenced by unauthenticated users. In WordPress, `maybe_unserialize()` calls the native PHP `unserialize()` function if it detects a serialized string. This leads to **PHP Object Injection**, allowing an attacker to instantiate arbitrary PHP objects if a suitable POP (Property Oriented Programming) chain exists in the environment (e.g., in other plugins or themes).\n\n### 2. Attack Vector Analysis\n*   **Target Endpoint:** `admin-ajax.php`\n*   **Vulnerable Action:** `ep_cancel_current_booking_process` (associated with the `cancel_current_booking_process` method in `EventM_Ajax_Service`).\n*   **Parameter:** `event_id` (used to fetch meta), or potentially a direct parameter in a related AJAX action like `ep_get_event_details` or `ep_get_calendar_events`.\n*   **Preconditions:** \n    1.  The plugin must have \"Guest Bookings\" or \"Frontend Event Submission\" enabled (standard for event plugins).\n    2.  A valid nonce for `event-registration-form-nonce` is","The EventPrime plugin for WordPress is vulnerable to unauthenticated PHP Object Injection due to the use of maybe_unserialize() on metadata that can be influenced by users. This occurs when data is retrieved via get_post_meta() and subsequently passed to maybe_unserialize(), leading to 'double deserialization' if an attacker can inject a serialized string into the database.","\u002F\u002F includes\u002Fclass-ep-ajax.php (approx line 1262)\npublic function cancel_current_booking_process() {\n    if( wp_verify_nonce( $_POST['security'], 'event-registration-form-nonce' ) ) {\n        $event_id = absint( $_POST['event_id'] ); \n        \u002F\u002F ...\n        $event_seat_data = get_post_meta( $event_id, 'em_seat_data', true );\n        if( ! empty( $event_seat_data ) ) { \n            \u002F\u002F ...\n            $event_seat_data = maybe_unserialize( $event_seat_data );\n\n---\n\n\u002F\u002F public\u002Fpartials\u002Fthemes\u002Fdefault\u002Ffrontend-submission\u002Forganizers.php (line 11)\n$selected_organizer = isset($args->event) && !empty($args->event->em_organizer) ? maybe_unserialize($args->event->em_organizer): array();","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feventprime-event-calendar-management\u002F4.3.2.1\u002Fincludes\u002Fclass-ep-ajax.php\t2026-04-20 09:26:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Feventprime-event-calendar-management\u002F4.3.2.2\u002Fincludes\u002Fclass-ep-ajax.php\t2026-04-29 06:40:08.000000000 +0000\n@@ -1249,12 +1249,12 @@\n                 }\n             }\n \n-            \u002F\u002F organizer\n-            $org = array();\n-            if( isset( $data['em_organizer'] ) && !empty( $data['em_organizer'] ) ) {\n-                $org = $data['em_organizer'];\n-                update_post_meta( $post_id, 'em_organizer', $org );\n-            }\n+            \u002F\u002F organizer\n+            $org = array();\n+            if( isset( $data['em_organizer'] ) && !empty( $data['em_organizer'] ) ) {\n+                $org = $ep_functions->ep_sanitize_term_id_list( $data['em_organizer'] );\n+                update_post_meta( $post_id, 'em_organizer', $org );\n+            }\n             if( isset( $data['new_organizer'] ) && $data['new_organizer'] == 1 ) {\n                 $organizer_name = isset( $data['new_organizer_name'] ) ? sanitize_text_field($data['new_organizer_name']) : '';\n                 if( ! empty( $organizer_name ) ) {\n@@ -1274,14 +1274,15 @@\n                         if( isset( $data['em_organizer_websites'] ) && ! empty( $data['em_organizer_websites'] ) ) {\n                             $org_data->em_organizer_websites = array_map( 'esc_url_raw', (array) $data['em_organizer_websites'] );\n                         }\n-                        $org_data->description = isset( $data['new_event_organizer_description'] ) ? wp_kses_post($data['new_event_organizer_description']) : '';\n-                        $org_data->em_image_id = isset( $data['org_attachment_id'] ) ? $data['org_attachment_id'] : '';\n-                        $org_data->em_social_links = isset( $data['em_social_links'] ) ? array_map( 'esc_url_raw', (array) $data['em_social_links'] ) : '';\n-                        $org[] = $ep_functions->create_organizer( (array)$org_data );\n-                    }\n-                }\n-                update_post_meta( $post_id, 'em_organizer', $org );\n-            }\n+                        $org_data->description = isset( $data['new_event_organizer_description'] ) ? wp_kses_post($data['new_event_organizer_description']) : '';\n+                        $org_data->em_image_id = isset( $data['org_attachment_id'] ) ? $data['org_attachment_id'] : '';\n+                        $org_data->em_social_links = isset( $data['em_social_links'] ) ? array_map( 'esc_url_raw', (array) $data['em_social_links'] ) : '';\n+                        $org[] = $ep_functions->create_organizer( (array)$org_data );\n+                    }\n+                }\n+                $org = $ep_functions->ep_sanitize_term_id_list( $org );\n+                update_post_meta( $post_id, 'em_organizer', $org );\n+            }","The exploit requires two stages: injection and triggering. \n\n1. **Injection**: An attacker identifies an input that is saved to post meta without proper sanitization (such as `em_organizer` via frontend event submission or specific license settings). They provide a 'double-serialized' payload—a string which, when deserialized once by WordPress's internal `get_post_meta`, results in a string that is itself a valid serialized PHP object (e.g., 's:21:\"O:15:\"Other_POP_Chain\":0:{}\";').\n\n2. **Triggering**: The attacker makes a request to an endpoint that retrieves this meta and calls `maybe_unserialize()` on it. One such endpoint is the AJAX action `ep_cancel_current_booking_process` (accessible via `admin-ajax.php`). The attacker provides the target `event_id` and a valid `event-registration-form-nonce` (typically found in the frontend event page's source). Upon processing, the plugin deserializes the attacker's object, triggering the PHP destructor\u002Fwakeup methods if a suitable POP chain is available in the environment.","gemini-3-flash-preview","2026-06-04 21:01:01","2026-06-04 21:02:01",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","4.3.2.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventprime-event-calendar-management\u002Ftags\u002F4.3.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feventprime-event-calendar-management.4.3.2.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventprime-event-calendar-management\u002Ftags\u002F4.3.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feventprime-event-calendar-management.4.3.2.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventprime-event-calendar-management\u002Ftags"]