This vulnerability enables an attacker to inject PHP objects via unserialization, allowing execution of arbitrary code on a WordPress site. It arises from the Events Calendar for GeoDirectory plugin deserializing untrusted data that is supplied through user input fields without proper validation. When a maliciously crafted serialized payload is processed, attackers can instantiate arbitrary objects, leading to remote code execution or other forms of compromise. The flaw is a classic example of deserialization of untrusted data, or "Object Injection."

All WordPress installations that include the Events Calendar for GeoDirectory plugin with version numbers up to and including 2.3.14 are vulnerable. The issue is confined to the plugin product provided by Stiofan; the core WordPress software is not affected.

The CVSS score of 8.8 marks this issue as high severity, indicating substantial risk to confidentiality, integrity, and availability if exploited. The EPSS score of less than 1% signals a very low probability of exploitation at present, and the vulnerability is not listed in CISA's KEV catalog, suggesting no widespread exploitation has been observed. Based on the description, the likely attack vector involves an attacker supplying a crafted serialized object through a vulnerable input field or a malicious link that triggers the plugin’s deserialization logic. Successful exploitation would give the attacker the ability to run arbitrary PHP code on the affected WordPress site.