The vulnerability is a Deserialization of Untrusted Data flaw that permits an attacker to craft serialized PHP objects and inject them into the Eventin plugin’s deserialization process. This PHP Object Injection can allow the attacker to execute code or alter application behavior, potentially leading to full compromise of the web site’s integrity and confidentiality. The weakness is identified as CWE-502, a deserialization flaw that can deliver arbitrary code execution.

The vulnerability affects the WordPress plugin Eventin (wp‑event‑solution) from all versions up to and including 4.0.31. The impacted vendor is Arraytics, and the plugin is used within WordPress installations that enable the Eventin event management features. Users who have not yet upgraded below or at 4.0.31 remain vulnerable.

The CVSS score of 8.8 indicates high severity, and the EPSS score of less than 1% suggests the probability of exploitation is currently low, although not zero. The issue is not in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker submitting crafted serialized data through the plugin’s input handlers, which are unprivileged and can be accessed by any authenticated or unauthenticated user depending on the plugin configuration. Once deserialized, the attacker can instantiate malicious classes that execute arbitrary code within the WordPress environment.