Skip to main content

Events Calendar for GeoDirectory CVE-2026-39532

| EUVD-2026-36961 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-7h33-9rg2-h2qq
PHP Deserialization Events Calendar For Geodirectory
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable WordPress endpoint (AV:N), low complexity once a gadget exists (AC:L), requires Contributor account (PR:L), no user interaction (UI:N); deserialization typically yields full C/I/A impact on the host.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:19 vuln.today

DescriptionCVE.org

Contributor PHP Object Injection in Events Calendar for GeoDirectory <= 2.3.25 versions.

AnalysisAI

PHP Object Injection in the Events Calendar for GeoDirectory WordPress plugin (versions <= 2.3.25) allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or denial of service on the host WordPress site. The flaw is tracked as CWE-502 and was disclosed via Patchstack with a CVSS 3.1 score of 8.8, but no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain Contributor WordPress account
Delivery
Craft serialized PHP gadget payload
Exploit
Submit payload to vulnerable plugin endpoint
Install
Plugin invokes unserialize() on input
C2
POP chain triggers magic methods
Execute
Achieve code execution or file write as web user
Impact
Persist via webshell or admin account creation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires an authenticated WordPress account with at least Contributor-level privileges on a site running the Events Calendar for GeoDirectory plugin at version 2.3.25 or earlier, with the plugin actively enabled alongside GeoDirectory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H scores 8.8 and is consistent with an authenticated network attack producing full confidentiality, integrity, and availability impact on the WordPress instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a Contributor-level WordPress account on a site running Events Calendar for GeoDirectory <= 2.3.25, then submits crafted input containing a serialized PHP object payload to a plugin endpoint that calls unserialize() on user-controlled data. When the payload is processed, it triggers a POP gadget chain in a loaded plugin or WordPress core, yielding arbitrary file writes or code execution as the web server user. …
Remediation No vendor-released patch identified at time of analysis based on the supplied input, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/events-for-geodirectory/vulnerability/wordpress-events-calendar-for-geodirectory-plugin-2-3-25-php-object-injection-vulnerability) and the WordPress.org plugin page for an updated release above 2.3.25 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running Events Calendar for GeoDirectory version 2.3.25 or earlier and audit Contributor+ user accounts for necessity and legitimacy. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-39532 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy