Description
Contributor PHP Object Injection in Events Calendar for GeoDirectory <= 2.3.25 versions.
Published: 2026-06-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Contributor PHP Object Injection in Events Calendar for GeoDirectory plugin versions 2.3.25 and earlier enables an attacker to craft malicious serialized data that is deserialized by the plugin. This flaw provides remote code execution and can lead to full control over the affected WordPress site. The vulnerability resides in the plugin’s handling of contributor input, lacking proper input validation.

Affected Systems

Affected systems include the WordPress Events Calendar for GeoDirectory plugin published by Stiofan. All releases up to and including 2.3.25 are vulnerable. Users of WordPress sites running any of these versions should assume the plugin is compromised.

Risk and Exploitability

The CVSS score of 8.8 marks this flaw as high severity. EPSS < 1% indicates a very low current exploitation probability, and it is not listed in CISA KEV. Nevertheless, the attack vector is likely remote via the plugin’s contributor feature and can be exploited by any party who can submit data to the plugin. Because the flaw permits remote code execution, administrators should prioritize applying the published update to at least 2.3.26.

Generated by OpenCVE AI on June 16, 2026 at 22:27 UTC.

Remediation

Vendor Solution

Update the WordPress Events Calendar for GeoDirectory Plugin to the latest available version (at least 2.3.26).

OpenCVE Recommended Actions

  • Update the Events Calendar for GeoDirectory plugin to version 2.3.26 or later.
  • If an update is not immediately possible, disable the contributor functionality or remove the plugin until it can be upgraded.
  • Harden the WordPress installation by ensuring that plugin directories are not writable by unauthorized users and that file permissions follow the principle of least privilege.

Generated by OpenCVE AI on June 16, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Contributor PHP Object Injection in Events Calendar for GeoDirectory <= 2.3.25 versions.
Title WordPress Events Calendar for GeoDirectory plugin <= 2.3.25 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T17:11:36.864Z

Reserved: 2026-04-07T10:48:09.605Z

Link: CVE-2026-39532

cve-icon Vulnrichment

Updated: 2026-06-16T13:56:11.592Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:47.070

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39532

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:30:05Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data