EUVD-2026-15573
GHSA-544w-wmqh-vq4j
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Object Injection.This issue affects EventPrime: from n/a through <= 4.2.8.0.
AnalysisAI
This is a PHP Object Injection vulnerability in the Metagauss EventPrime WordPress plugin (eventprime-event-calendar-management) caused by unsafe deserialization of untrusted data. All versions up to and including 4.2.8.0 are affected, allowing attackers to inject malicious serialized objects that can lead to remote code execution or arbitrary actions depending on available PHP gadget chains. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Remote unauthenticated attacker can exploit EventPrime event calendar management plugin versions <= 4.2.8.0 via object injection through deserialization of untrusted data. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | While a definitive CVSS score is not provided, the underlying nature of CWE-502 object injection vulnerabilities in PHP typically results in critical or high severity ratings (8.0+) due to potential for remote code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious HTTP request or injects a serialized PHP object payload through a WordPress form, setting value, or plugin interface that accepts user input. When the EventPrime plugin processes this input through an unprotected unserialize() call, the malicious object is instantiated, triggering magic methods that chain together gadgets from WordPress core, popular plugins, or the site's theme. … |
| Remediation | Immediately update the EventPrime plugin to a version higher than 4.2.8.0 if a patched version is available (check the official WordPress plugin repository or Metagauss documentation). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all affected systems and apply vendor patches immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated PHP Object Injection in the EventPrime event calendar plugin for WordPress (versions <= 4.3.2.1) allows
Insecure direct object reference in the EventPrime WordPress plugin (versions up to and including 4.3.0.0) allows authen
Stored or reflected cross-site scripting in the EventPrime WordPress plugin (versions <= 4.3.2.1) allows authenticated u
Share
External POC / Exploit Code
Leaving vuln.today