Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (Patchstack) · only source for this CVE.
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Object Injection.This issue affects Events Manager: from n/a through <= 7.3.6.
AnalysisAI
PHP Object Injection in the WordPress Events Manager plugin (Marcus/@msykes) affects all versions up to and including 7.3.6, letting remote attackers deserialize untrusted data and instantiate arbitrary PHP objects. When paired with a suitable POP gadget chain present in the plugin, WordPress core, or another installed plugin, this can escalate to remote code execution, data theft, or site takeover. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours, audit all WordPress instances to identify Events Manager versions, assess business criticality, and disable the plugin on non-essential systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Events Manager
View allThe Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injecti
The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper
The Events Manager plugin before 5.8.1.2 for WordPress allows XSS via the events-manager.js mapTitle parameter in the Go
Missing Authorization vulnerability in Pixelite Events Manager.4.6.4. Rated high severity (CVSS 8.8), this vulnerability
The Events Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions
Multiple cross-site scripting (XSS) vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plu
The Events Manager - Calendar, Bookings, Tickets, and more!. Rated high severity (CVSS 7.5), this vulnerability is remot
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixelite Events Ma
The Events Manager - Calendar, Bookings, Tickets, and more!. Rated medium severity (CVSS 6.4), this vulnerability is rem
The Events Manager - Calendar, Bookings, Tickets, and more!. Rated medium severity (CVSS 6.4), this vulnerability is rem
The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scri
The Events Manager - Calendar, Bookings, Tickets, and more!. Rated medium severity (CVSS 6.1), this vulnerability is rem
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43368