Skip to main content

Events Calendar for GeoDirectory CVE-2025-26967

HIGH
Deserialization of Untrusted Data (CWE-502)
2025-03-03 audit@patchstack.com
Deserialization
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:00 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 8.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Stiofan Events Calendar for GeoDirectory allows Object Injection. This issue affects Events Calendar for GeoDirectory: from n/a through 2.3.14.

AnalysisAI

PHP object injection in Events Calendar for GeoDirectory plugin versions through 2.3.14 enables authenticated attackers with low-privilege access to execute arbitrary PHP code by injecting malicious serialized objects. The CVSS 8.8 score reflects network-based exploitation requiring only low-level authentication, with no user interaction needed. EPSS score of 0.23% (45th percentile) indicates low observed exploitation probability, and no CISA KEV listing confirms this is not yet actively exploited in the wild. Patchstack database reports this as a confirmed deserialization vulnerability (CWE-502) in the WordPress plugin ecosystem.

Technical ContextAI

This vulnerability stems from unsafe deserialization of untrusted data (CWE-502), a critical flaw class in PHP applications. The Events Calendar for GeoDirectory WordPress plugin fails to properly validate or sanitize serialized data before passing it to PHP's unserialize() function. In PHP, unserialize() can instantiate arbitrary objects and trigger magic methods (__wakeup, __destruct, __toString) during deserialization, allowing attackers to leverage existing classes in the plugin or WordPress core to achieve code execution. This is a classic PHP Object Injection vulnerability affecting the wpgeodirectory:events_calendar WordPress plugin component, as confirmed by the CPE designation. The plugin integrates event management functionality with GeoDirectory location features, likely deserializing user-controlled input related to event data, settings, or imported content without proper type checking or signature verification.

RemediationAI

Immediately upgrade Events Calendar for GeoDirectory plugin to version 2.3.15 or later if available, verifying the release specifically addresses CVE-2025-26967 through the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/events-for-geodirectory/vulnerability/wordpress-events-calendar-for-geodirectory-plugin-2-3-14-php-object-injection-vulnerability. If patched version release is delayed, implement compensating controls: restrict user registration and limit authenticated access to only trusted administrators until patching is complete, disable the Events Calendar for GeoDirectory plugin entirely if event functionality is non-critical, implement web application firewall rules to detect and block serialized object patterns in POST request bodies targeting the plugin's endpoints (note: may break legitimate functionality requiring careful testing), and enable comprehensive WordPress audit logging to detect suspicious deserialization attempts or privilege escalation. Review existing user accounts for unauthorized privilege changes that might indicate prior exploitation. After patching, conduct security review of any user-submitted event data or imported content from the vulnerable period.

Share

CVE-2025-26967 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy