Description
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.0.8.
Published: 2026-02-03
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Deserialization of untrusted data can lead to arbitrary code execution or similar severe impact
Action: Immediate Patch
AI Analysis

Impact

An attacker can supply malicious serialized data to the WpEvently plugin, which is deserialized without proper validation. This object injection flaw can allow the attacker to execute arbitrary code, compromising the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

The vulnerability affects the magepeopleteam WpEvently plugin from the earliest version through 5.0.8, so any site running WpEvently version 5.0.8 or earlier is at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, and the EPSS probability is currently below 1%, suggesting that exploitation is not widely observed. Based on the description, it is inferred that the attack vector may involve either unauthenticated access through publicly exposed endpoints or authenticated exploitation via an administrator account. The vulnerability is not listed in the CISA KEV catalog, but due to the potential for remote code execution, immediate remediation is advised.

Generated by OpenCVE AI on April 16, 2026 at 07:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WpEvently plugin to the latest available version (>=5.0.9).
  • If an immediate upgrade is not feasible, disable or remove the plugin from the WordPress installation to eliminate the deserialization risk.
  • Configure the plugin (or WordPress) to restrict or disable features that trigger untrusted data deserialization, and ensure that only trusted administrators have rights to trigger those functions.

Generated by OpenCVE AI on April 16, 2026 at 07:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.0.8.
Title WordPress WpEvently plugin <= 5.0.8 - Deserialization of untrusted data vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:51.930Z

Reserved: 2026-01-28T09:50:29.518Z

Link: CVE-2026-24954

cve-icon Vulnrichment

Updated: 2026-02-03T18:31:56.791Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:16.280

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:15:28Z

Weaknesses