Description
Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions.
Published: 2026-06-15
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated PHP Object Injection in EventPrime plugin versions 4.3.2.1 and earlier enables an attacker to instantiate arbitrary PHP objects, potentially executing malicious code on the server. The vulnerability is listed with a CVSS score of 8.1, indicating high severity, and falls under CWE-502, which describes insecure deserialization. This flaw could compromise the confidentiality, integrity, or availability of the entire WordPress installation.

Affected Systems

WordPress sites running the EventPrime plugin version 4.3.2.1 or earlier are affected. The plugin is commonly used for event calendar management in WordPress installations.

Risk and Exploitability

The CVSS score of 8.1 reflects the risk of remote code execution, while the EPSS score of below 1% suggests that while the vulnerability exists, the likelihood of exploitation is low at present. The vulnerability is not listed in CISA KEV. An attacker can exploit it by sending a crafted request to a vulnerable endpoint of the plugin without authentication, inferring that the attack vector is remote and unauthenticated.

Generated by OpenCVE AI on June 18, 2026 at 00:42 UTC.

Remediation

Vendor Solution

Update the WordPress EventPrime Plugin to the latest available version (at least 4.3.2.2).


OpenCVE Recommended Actions

  • Upgrade the WordPress EventPrime Plugin to version 4.3.2.2 or later.
  • If an immediate upgrade is not feasible, temporarily disable the EventPrime plugin until a patched version is applied.
  • Monitor web server logs for suspicious PHP object injection attempts to detect potential exploitation.

Generated by OpenCVE AI on June 18, 2026 at 00:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Theeventprime
Theeventprime eventprime
Wordpress
Wordpress wordpress
Vendors & Products Theeventprime
Theeventprime eventprime
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions.
Title WordPress EventPrime plugin <= 4.3.2.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Theeventprime Eventprime
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:24:02.220Z

Reserved: 2026-04-29T09:04:56.882Z

Link: CVE-2026-42687

cve-icon Vulnrichment

Updated: 2026-06-16T01:23:57.691Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:56.870

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-42687

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:15:02Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data