Deserialization of untrusted data in the Arraytics Eventin WordPress plugin enables PHP Object Injection, which can allow an attacker to supply a crafted object payload that is unserialized by the plugin. This flaw can lead to arbitrary code execution on the web server hosting the WordPress site, providing full control over the compromised site. The weakness is classified as CWE-502, a deserialization issue that permits injection of malicious objects.

The vulnerability impacts the WordPress Eventin plugin (wp-event-solution) from any version through 4.1.3 inclusive. WordPress sites that have installed this plugin, regardless of their WordPress core version, are therefore potentially affected.

The CVSS score of 8.8 indicates a high severity for this flaw. The EPSS score of less than 1% suggests that, at the time of assessment, exploitation is considered uncommon, yet the risk remains significant due to the potential impact of remote code execution. The vulnerability is not listed in the CISA KEV catalog. While the description does not specify the precise invocation method, it is inferred that an attacker could trigger the flaw through a crafted web request that the plugin processes, implying a remote attack vector. Successful exploitation would grant the attacker the privileges of the WordPress user executing the request, potentially escalating to full site compromise.