What is the CVSS score of EUVD-2026-36835?

EUVD-2026-36835 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of EventPrime WordPress Plugin are affected by EUVD-2026-36835?

The EventPrime event calendar plugin for WordPress (versions ≤4.3.2.1) contains an unauthenticated object injection vulnerability permitting remote code execution on affected servers without…

How to fix or mitigate EUVD-2026-36835?

WITHIN 24 HOURS: Inventory all WordPress installations for EventPrime versions ≤4.3.2.1 using wp-cli 'wp plugin list' or WordPress Admin > Plugins page; document affected systems and priorities. WITHIN 7 DAYS: Immediately deactivate the plugin via WordPress Admin panel and rename plugin directory (/wp-content/plugins/eventprime/) to prevent reactivation; monitor Patchstack and EventPrime vendor advisories for patched version release. WITHIN 30 DAYS: Evaluate alternative calendar solutions (Modern Events Calendar, Eventify, or The Events Calendar) or validate and deploy patched EventPrime version after staging environment testing.

EventPrime WordPress Plugin EUVD-2026-36835

| CVE-2026-42687 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-06-15 Patchstack

GHSA-cr5x-4xrc-3jfr

PHP Deserialization Eventprime

8.1

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.1 HIGH

Pre-auth network-reachable WordPress plugin endpoint (AV:N/PR:N/UI:N); AC:H because PHP object injection requires a usable gadget chain; full CIA impact via deserialization-driven code execution.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 21:56 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the EventPrime event calendar plugin for WordPress (versions <= 4.3.2.1) allows remote attackers to inject crafted serialized PHP objects that may trigger arbitrary deserialization-driven gadget chains, leading to potential remote code execution, file manipulation, or data tampering. The flaw is reachable without authentication but carries CVSS:3.1 AC:H, indicating non-trivial preconditions for successful exploitation. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify WordPress site running EventPrime ≤ 4.3.2.1

Delivery

Enumerate installed plugins/themes for gadget chains

Exploit

Craft serialized PHP object payload

Install

Submit payload to vulnerable EventPrime endpoint

Deserialization triggers magic-method gadget

Execute

Achieve code execution or file write

Impact

Establish webshell persistence

Recon

Identify WordPress site running EventPrime ≤ 4.3.2.1

Delivery

Enumerate installed plugins/themes for gadget chains

Exploit

Craft serialized PHP object payload

Install

Submit payload to vulnerable EventPrime endpoint

Deserialization triggers magic-method gadget

Execute

Achieve code execution or file write

Impact

Establish webshell persistence

Vulnerability AssessmentAI

Exploitation	Target must run the EventPrime (eventprime-event-calendar-management) WordPress plugin at version 4.3.2.1 or earlier with the vulnerable endpoint reachable over the network, and a usable POP gadget chain must exist in WordPress core or another installed plugin/theme on the target - this is the AC:H limiter, as PHP object injection without a gadget chain produces no impact. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are mixed: CVSS base score 8.1 (High) reflects network reach (AV:N), no authentication (PR:N), no user interaction (UI:N), and full CIA impact, but AC:H indicates the attacker needs specialized conditions - most likely a viable gadget chain in the target environment, since PHP object injection by itself is inert without one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote unauthenticated attacker submits a crafted HTTP request to an EventPrime-exposed endpoint containing a serialized PHP object payload referencing a class whose magic methods trigger a destructive side effect - for example, a file-write or eval gadget supplied by another installed plugin. When the plugin deserializes the input, the gadget chain executes within the WordPress process, allowing the attacker to write a webshell, exfiltrate wp-config.php secrets, or alter database records. …
Remediation	Upstream fix available per Patchstack advisory; a patched version higher than 4.3.2.1 is implied but not independently confirmed from the provided data - administrators should consult the Patchstack entry (https://patchstack.com/database/wordpress/plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-3-2-1-php-object-injection-vulnerability) and the WordPress.org changelog for eventprime-event-calendar-management to confirm the exact fixed release and update immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Inventory all WordPress installations for EventPrime versions ≤4.3.2.1 using wp-cli 'wp plugin list' or WordPress Admin > Plugins page; document affected systems and priorities. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

EUVD-2026-36835 vulnerability details – vuln.today

Back

EventPrime WordPress Plugin EUVD-2026-36835

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code