CVE-2025-32145 - Vulnerability Details

- WordPress WpEvently plugin <= 4.3.6 - PHP Object Injection vulnerability

Description

Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.3.6.

Published: 2025-04-10

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a deserialization of untrusted data in the WpEvently plugin that allows an attacker to craft a serialized PHP object and trigger Object Injection. This flaw can lead to remote code execution or modification of site data, depending on the remote code path the attacker can control. The weakness is classified as CWE‑502.

Affected Systems

All WordPress sites that installed the WpEvently plugin from the first release up to version 4.3.6, which is maintained by magepeopleteam. Sites using any earlier or later release are unaffected. The plugin is available on the WordPress plugin repository.

Risk and Exploitability

With a CVSS score of 8.8, the flaw is considered High severity. The EPSS score of <1 % indicates a currently low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through web requests that provide serialized data to the plugin, such as form submissions or URL parameters, though further analysis is required to determine authentication or privilege prerequisites. If exploited, the attacker could execute arbitrary code on the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

magepeopleteam

WpEvently

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.3.6

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the WpEvently plugin to version 4.3.7 or later, which removes the deserialization flaw.
If an upgrade is not immediately possible, disable or delete the plugin and block access to any endpoints that allow serialized input.
Review and restrict permissions for users and mitigate any other untrusted input that passes through the plugin.
Monitor server logs for abnormal PHP unserialize activity and verify that no unauthorized objects are being instantiated.

Generated by OpenCVE AI on April 30, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-10487	Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently allows Object Injection. This issue affects WpEvently: from n/a through 4.3.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00336.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-4-3-5-php-object-injection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently allows Object Injection. This issue affects WpEvently: from n/a through 4.3.5.	Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.3.6.
Title	WordPress WpEvently plugin <= 4.3.5 - PHP Object Injection vulnerability	WordPress WpEvently plugin <= 4.3.6 - PHP Object Injection vulnerability
References	https://patchstack.com/database/wordpress/plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-4-3-5-php-object-injection-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-4-3-5-php-object-injection-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 10 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 10 Apr 2025 08:15:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently allows Object Injection. This issue affects WpEvently: from n/a through 4.3.5.
Title		WordPress WpEvently plugin <= 4.3.5 - PHP Object Injection vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/wordpress/plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-4-3-5-php-object-injection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-10T08:09:42.557Z

Updated: 2026-04-28T16:12:17.184Z

Reserved: 2025-04-04T10:00:50.063Z

Link: CVE-2025-32145

Vulnrichment

Updated: 2025-04-10T14:01:27.344Z

NVD

Status : Deferred

Published: 2025-04-10T08:15:16.533

Modified: 2026-04-23T15:28:38.480

Link: CVE-2025-32145

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T23:30:03Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object