[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4zR8RwbNHUtFPPBvAjk013k48UdgrEu7IBl2ZNczlj0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-23549","wpevently-unauthenticated-php-object-injection","WpEvently \u003C= 5.1.1 - Unauthenticated PHP Object Injection","The WpEvently plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 5.1.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","mage-eventpress",null,"\u003C=5.1.1","5.1.2","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-02-18 00:00:00","2026-02-25 15:25:56",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2dbaf8a7-e3cc-42c1-9f8b-7eb14363cf8c?source=api-prod",8,[],"researched",false,3,"This research plan outlines the steps to investigate and exploit CVE-2026-23549, an unauthenticated PHP Object Injection vulnerability in the **WpEvently (Event Booking Manager for WooCommerce)** plugin.\n\n### 1. Vulnerability Summary\nThe vulnerability exists because the plugin passes unvalidated user input directly into the PHP `unserialize()` function. In PHP, deserializing untrusted data can lead to **PHP Object Injection (POI)**. If a suitable \"Property-Oriented Programming\" (POP) chain exists in the environment (either within the plugin, another active plugin, or WordPress core), an attacker can execute arbitrary code, delete files, or bypass authentication.\n\nThe vulnerability is \"unauthenticated,\" meaning it is likely reachable via a `wp_ajax_nopriv_*` action or a direct request to a frontend-accessible script that doesn't check for user sessions.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (most likely) or a frontend hook like `init`.\n* **Action:** Likely a `wp_ajax_nopriv_` handler related to event booking, cart management, or attendee data.\n* **Parameter:** A POST or GET parameter containing a serialized string (often Base64 encoded). Common names in such plugins include `event_data`, `booking_info`, `cart_items`, or `attendee_list`.\n* **Preconditions:** The plugin must be active. No specific configuration is expected to be required for unauthenticated access.\n\n### 3. Code Flow (Inferred)\nBased on the vulnerability type, the execution flow is expected to be:\n1. **Entry Point:** An unauthenticated user sends a request to `admin-ajax.php?action=MAGE_EVENTPRESS_ACTION`.\n2. **Hook Trigger:** WordPress fires `do_action('wp_ajax_nopriv_MAGE_EVENTPRESS_ACTION')`.\n3. **Handler Execution:** The plugin's registered callback function (e.g., `MageEventPress_Ajax::handle_request`) is invoked.\n4. **Data Extraction:** The handler retrieves data from `$_POST['data']` or a similar parameter.\n5. **The Sink:** The handler calls `unserialize($data)` or `maybe_unserialize($data)` without sufficient validation or using the `allowed_classes => false` option.\n\n### 4. Nonce Acquisition Strategy\nIf the vulnerable AJAX action requires a nonce, it is likely exposed via `wp_localize_script` for use in the frontend booking forms.\n\n**Steps for the Agent:**\n1. **Identify the Script\u002FNonce:** Search for `wp_localize_script` in the plugin folder to find the JavaScript object name.\n * *Grep command:* `grep -r \"wp_localize_script\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fmage-eventpress\u002F`\n2. **Locate the Shortcode:** Identify which shortcode enqueues this script. Look for `add_shortcode` in the codebase.\n * *Example:* `[mage_event_booking]` (inferred).\n3. **Setup Page:** Create a public page containing the identified shortcode:\n * `wp post create --post_type=page --post_title=\"Booking\" --post_status=publish --post_content='[SHORTCODE_NAME]'`\n4. **Extract via Browser:**\n * Navigate to the page.\n * Use `browser_eval` to find the nonce: `browser_eval(\"window.mage_eventpress_params?.nonce\")` (Replace `mage_eventpress_params` with the actual variable found in step 1).\n\n### 5. Exploitation Strategy\nOnce the sink and parameter are identified, follow these steps:\n\n**Step 1: Discover the Action and Sink**\nSearch for `unserialize` calls that take user input:\n```bash\ngrep -rn \"unserialize\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fmage-eventpress\u002F | grep \"POST\\|GET\\|REQUEST\"\n```\n\n**Step 2: Confirm Accessibility**\nLocate where the function containing the `unserialize` call is hooked. Verify if it uses `wp_ajax_nopriv_`.\n\n**Step 3: Construct Payload**\nSince no POP chain is specified in the vulnerability report, use a \"benign\" object injection to confirm the vulnerability. We can attempt to inject a core WordPress class like `WP_Block_List` or a simple `stdClass` to see if it triggers an error or different behavior compared to a non-serialized string.\n\n* **Test Payload (Base64 encoded stdClass):** `Tzo4OiJzdGRDbGFzcyI6MDp7fQ==` (serializes to `O:8:\"stdClass\":0:{}`)\n\n**Step 4: Execute HTTP Request**\n```javascript\n\u002F\u002F Using http_request tool\n{\n method: \"POST\",\n url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n headers: { \"Content-Type\": \"application\u002Fx-www-form-urlencoded\" },\n data: \"action=IDENTIFIED_ACTION&nonce=IDENTIFIED_NONCE&vulnerable_param=Tzo4OiJzdGRDbGFzcyI6MDp7fQ==\"\n}\n```\n\n### 6. Test Data Setup\n1. **Plugin Installation:** Ensure `mage-eventpress` version 5.1.1 is installed and active.\n2. **Event Creation:** Some AJAX actions might require a valid event ID. Create one via WP-CLI if needed:\n * `wp post create --post_type=event --post_title=\"Test Event\" --post_status=publish`\n3. **Shortcode Page:** Create a page with the booking shortcode (as described in section 4) to facilitate nonce extraction if necessary.\n\n### 7. Expected Results\n* **Successful Injection:** The server processes the request and returns a 200 OK. If the payload is malformed or targets a non-existent class, you might see a PHP Notice or Warning in the logs (`wp-content\u002Fdebug.log`).\n* **Confirmation:** If the plugin attempts to use the injected object, it may trigger a \"method not found\" error if we inject a class like `stdClass`. This error confirms that the string was indeed deserialized into an object.\n\n### 8. Verification Steps\n1. **Check Logs:** Use `tail -f \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log` while sending the request. Look for:\n * `PHP Notice: unserialize(): Error at offset...` (if payload is slightly off)\n * `PHP Fatal error: Uncaught Error: Call to undefined method stdClass::...` (this is a strong indicator of successful injection).\n2. **Trace execution:** Add a temporary `error_log(\"Sink reached with: \" . print_r($data, true));` before the `unserialize` call in the plugin code to verify the data arrives intact.\n\n### 9. Alternative Approaches\n* **Base64 Variant:** If raw serialization fails, try Base64 encoding the payload, as many plugins encode serialized objects to avoid character issues in HTTP parameters.\n* **Check for `maybe_unserialize`:** If `unserialize` isn't found, search for `maybe_unserialize`. This function is a wrapper that will still call `unserialize` if the input is a valid serialized string.\n* **Search for `GuzzleHttp` or `Requests` chains:** WordPress often includes libraries like Guzzle. If a POP chain is needed to prove impact, check for these libraries in `vendor\u002F` or core.","The WpEvently plugin for WordPress is vulnerable to Unauthenticated PHP Object Injection in versions up to and including 5.1.1. This occurs when the plugin passes untrusted user input from AJAX requests into the PHP unserialize() function without restricting allowed classes, potentially allowing an attacker to execute arbitrary code if a suitable POP chain is present on the system.","1. Identify the unauthenticated AJAX action (e.g., using wp_ajax_nopriv_ hooks) that processes user-supplied data for event booking or cart management.\n2. Obtain a valid AJAX nonce by visiting a public page where the plugin's event booking shortcode is active and extracting the nonce from the localized JavaScript parameters (e.g., mage_eventpress_params.nonce).\n3. Construct a PHP serialized object payload designed to trigger a POP chain (e.g., targeting WordPress core or available libraries like GuzzleHttp).\n4. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php containing the identified action, the extracted nonce, and the malicious payload in the vulnerable parameter (e.g., data or event_data).","gemini-3-flash-preview","2026-04-19 04:06:49","2026-04-19 04:07:08",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","5.0.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmage-eventpress\u002Ftags\u002F5.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmage-eventpress.5.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmage-eventpress\u002Ftags"]