Impact
Unauthenticated PHP Object Injection in EventPrime plugin versions 4.3.2.1 and earlier enables an attacker to instantiate arbitrary PHP objects, potentially executing malicious code on the server. The vulnerability is listed with a CVSS score of 8.1, indicating high severity, and falls under CWE-502, which describes insecure deserialization. This flaw could compromise the confidentiality, integrity, or availability of the entire WordPress installation.
Affected Systems
WordPress sites running the EventPrime plugin version 4.3.2.1 or earlier are affected. The plugin is commonly used for event calendar management in WordPress installations.
Risk and Exploitability
The CVSS score of 8.1 reflects the risk of remote code execution, while the EPSS score of below 1% suggests that while the vulnerability exists, the likelihood of exploitation is low at present. The vulnerability is not listed in CISA KEV. An attacker can exploit it by sending a crafted request to a vulnerable endpoint of the plugin without authentication, inferring that the attack vector is remote and unauthenticated.
OpenCVE Enrichment