Description
Deserialization of Untrusted Data vulnerability in elbisnero WordPress Events Calendar Registration & Tickets wpeventplus allows Object Injection.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through <= 2.6.0.
Published: 2025-05-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin deserializes user‑supplied data without proper validation, enabling object injection. This PHP Object Injection (CWE-502) allows an attacker to execute arbitrary code on the server, potentially compromising the entire WordPress installation.

Affected Systems

Systems running the elbisnero WordPress Events Calendar Registration & Tickets plugin – wpeventplus – version 2.6.0 or earlier are affected. The vulnerability applies to all installations of this plugin within WordPress sites.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as critical, while the EPSS score of less than 1% suggests that mass exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via crafted requests to the plugin’s entry points, such as registration or ticket submission forms, where unsafe deserialization occurs. Organizations should treat this as a high‑risk exposure until mitigated.

Generated by OpenCVE AI on April 30, 2026 at 12:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest update of the WordPress Events Calendar Registration & Tickets plugin that removes the vulnerable deserialization logic.
  • If a patch is not yet available, temporarily deactivate or uninstall the plugin until a fix is released.
  • Implement additional safeguards, such as tightening input validation or deploying a Web Application Firewall that blocks malicious serialized payloads.

Generated by OpenCVE AI on April 30, 2026 at 12:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15802 Deserialization of Untrusted Data vulnerability in Elbisnero WordPress Events Calendar Registration & Tickets allows Object Injection.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through 2.6.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Elbisnero WordPress Events Calendar Registration & Tickets allows Object Injection.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through 2.6.0. Deserialization of Untrusted Data vulnerability in elbisnero WordPress Events Calendar Registration & Tickets wpeventplus allows Object Injection.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through <= 2.6.0.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 18:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Elbisnero WordPress Events Calendar Registration & Tickets allows Object Injection.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through 2.6.0.
Title WordPress WordPress Events Calendar Registration & Tickets plugin <= 2.6.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:45.791Z

Reserved: 2025-05-07T09:55:31.578Z

Link: CVE-2025-47581

cve-icon Vulnrichment

Updated: 2025-05-19T18:49:56.357Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T19:15:52.140

Modified: 2026-04-23T15:30:32.480

Link: CVE-2025-47581

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:45:22Z

Weaknesses