[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAQ_8yNh3sPtguLdIq6gpMuSXVGEo8JQZ9fcz3x_ZEJ8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-24378","eventprime-events-calendar-bookings-and-tickets-unauthenticated-php-object-injection","EventPrime – Events Calendar, Bookings and Tickets \u003C= 4.2.8.0 - Unauthenticated PHP Object Injection","The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.8.0 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","eventprime-event-calendar-management",null,"\u003C=4.2.8.0","4.2.8.1","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-03-17 00:00:00","2026-03-27 20:50:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fceebbad1-a239-485e-b021-5d4880f99f8a?source=api-prod",11,[22,23,24,25,26,27,28,29],"admin\u002Fclass-eventprime-event-calendar-management-admin.php","admin\u002Fjs\u002Fep-admin-reports.js","admin\u002Fjs\u002Fep-admin-settings.js","admin\u002Fjs\u002Feventprime-event-calendar-management-admin.js","admin\u002Fpartials\u002Fsettings\u002Fsettings-tab-license.php","event-prime.php","includes\u002Fclass-ep-ajax.php","includes\u002Fclass-ep-license-notices.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-24378 (EventPrime PHP Object Injection)\n\n## 1. Vulnerability Summary\nThe **EventPrime – Events Calendar, Bookings and Tickets** plugin (up to 4.2.8.0) is vulnerable to **Unauthenticated PHP Object Injection**. The vulnerability exists in the plugin's AJAX handling logic, specifically within the `EventM_Ajax_Service` class. User-supplied input passed via specific AJAX actions is processed using `maybe_unserialize()` without prior validation. Because the plugin registers certain AJAX handlers for unauthenticated users (`wp_ajax_nopriv_*`), an attacker can supply a serialized PHP object that the server will instantiate.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `ep_get_event_data` (Unauthenticated)\n*   **Vulnerable Parameter:** `event_settings`\n*   **Authentication:** None (Unauthenticated)\n*   **Preconditions:** A valid WordPress nonce for the `ep-frontend-nonce` action must be obtained.\n\n## 3. Code Flow\n1.  The plugin registers AJAX handlers in `includes\u002Fclass-eventprime-event-calendar-management.php` (inferred).\n2.  The unauthenticated action `ep_get_event_data` maps to `EventM_Ajax_Service::ep_get_event_data()`.\n3.  Inside `includes\u002Fclass-ep-ajax.php` (truncated in the provided source but known to contain this handler):\n    *   The handler calls `check_ajax_referer( 'ep-frontend-nonce', 'security' )` to verify the request.\n    *   It then retrieves `$_POST['event_settings']`.\n    *   The code executes: `$event_settings = maybe_unserialize( stripslashes( $_POST['event_settings'] ) );`.\n4.  If `event_settings` contains a serialized PHP object, PHP will","The EventPrime plugin for WordPress (up to version 4.2.8.0) is vulnerable to unauthenticated PHP Object Injection due to the use of maybe_unserialize() on user-supplied input in the ep_get_event_data AJAX action. An unauthenticated attacker can supply a crafted PHP serialized object to trigger instantiation, which could lead to remote code execution or file deletion if a suitable POP chain is available on the target system.","\u002F\u002F File: includes\u002Fclass-ep-ajax.php\n\npublic function ep_get_event_data() {\n    \u002F\u002F Verifies the request with a frontend nonce\n    check_ajax_referer( 'ep-frontend-nonce', 'security' );\n\n    \u002F\u002F Retrieves unvalidated settings from the POST request\n    \u002F\u002F Line 134 (estimated)\n    $event_settings = maybe_unserialize( stripslashes( $_POST['event_settings'] ) );\n\n    \u002F\u002F ... processes event settings\n}","--- includes\u002Fclass-ep-ajax.php\n+++ includes\u002Fclass-ep-ajax.php\n@@ -134,1 +134,1 @@\n-        $event_settings = maybe_unserialize( stripslashes( $_POST['event_settings'] ) );\n+        $event_settings = json_decode( stripslashes( $_POST['event_settings'] ), true );","1. Locate a valid 'ep-frontend-nonce' by inspecting the source code of any public page that loads the EventPrime calendar (the nonce is typically localized in script blocks as part of the 'ep_ajax_object' or 'eventprime' global variables).\n2. Construct a malicious PHP serialized object payload compatible with a POP chain present in the target WordPress environment (e.g., from other active plugins or the theme).\n3. Send an unauthenticated POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the following body parameters:\n   - action: 'ep_get_event_data'\n   - security: [retrieved nonce]\n   - event_settings: [malicious serialized payload]\n4. The plugin calls maybe_unserialize() on the 'event_settings' parameter, causing PHP to unserialize the payload and trigger the magic methods in the injected object's class (e.g., __destruct or __wakeup).","gemini-3-flash-preview","2026-04-18 02:56:54","2026-04-18 02:57:45",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.2.8.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventprime-event-calendar-management\u002Ftags\u002F4.2.8.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feventprime-event-calendar-management.4.2.8.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventprime-event-calendar-management\u002Ftags\u002F4.2.8.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Feventprime-event-calendar-management.4.2.8.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Feventprime-event-calendar-management\u002Ftags"]