Description
Deserialization of Untrusted Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Object Injection.This issue affects EventPrime: from n/a through <= 4.2.8.0.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Metagauss EventPrime plugin handles serialized data without proper validation, enabling PHP object injection. This weakness allows an attacker to craft objects that, when instantiated by the plugin, can overwrite internal properties or execute arbitrary code, thereby compromising the WordPress site’s integrity, confidentiality and availability.

Affected Systems

WordPress sites that have the EventPrime event-calendar-management plugin installed at any version from the initial release up to and including 4.2.8.0 are affected. The vulnerability applies to all installations of the plugin regardless of deployment size.

Risk and Exploitability

The vulnerability is assigned a CVSS score of 9.8, indicating severe impact. The EPSS score is less than 1 % and the issue is not listed in the CISA KEV catalog, suggesting that exploitation is not common yet. The likely attack vector is the injection of crafted serialized data through any interface where the plugin accepts external input, such as plugin configuration forms or data import functions. The attacker needs to supply malicious payload data; once accepted, the plugin will instantiate objects that can perform arbitrary operations on the system. Due to the high severity and the potential for remote code execution, the risk remains significant despite low observed exploitation probability.

Generated by OpenCVE AI on March 26, 2026 at 18:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the EventPrime plugin to a version newer than 4.2.8.0 (or 4.2.8.1 if available).
  • If an update is not available, disable or uninstall the EventPrime plugin until a fix is released.

Generated by OpenCVE AI on March 26, 2026 at 18:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Metagauss
Metagauss eventprime
Wordpress
Wordpress wordpress
Vendors & Products Metagauss
Metagauss eventprime
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Object Injection.This issue affects EventPrime: from n/a through <= 4.2.8.0.
Title WordPress EventPrime plugin <= 4.2.8.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Metagauss Eventprime
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:40:08.166Z

Reserved: 2026-01-22T14:42:40.516Z

Link: CVE-2026-24378

cve-icon Vulnrichment

Updated: 2026-03-26T15:37:19.937Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:38.073

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-24378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:25Z

Weaknesses