What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.3.6.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.3.6.
Explanation of Vulnerability in Simple Terms
WpEvently versions 4.3.6 and earlier contain a deserialization vulnerability in how they process untrusted data. An attacker with low-level site access can craft malicious serialized objects to execute arbitrary PHP code on the server. This grants full control over the WordPress installation, including database access and file modification.
What an attacker can do
Run arbitrary PHP code on the site and access or modify all site data and files.
Potential impact on your site
Complete compromise of the WordPress site, including database theft, malware injection, and defacement.
Conditions required to exploit
Attacker must have a low-privilege account (subscriber or contributor level) on the WordPress site.
Key dates
External resources