Event Monster Plugin Vulnerable to PHP Object Injection
CVE-2024-1895

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Event Monster – Event Management, Tickets Booking, Upcoming Event
Vendor: CVE Published:; 30 April 2024

Summary

The Event Monster plugin for WordPress, specifically versions up to and including 1.3.4, is susceptible to a PHP Object Injection vulnerability due to deserialization of untrusted input from custom meta values. This vulnerability allows authenticated users with contributor access or higher to potentially inject PHP Objects. While the vulnerable plugin does not present a direct PHP Object Protocol (POP) chain, if an attacker finds an existing POP chain via another plugin or theme, the implications can be severe, enabling file deletion, sensitive data retrieval, or arbitrary code execution. Administrators should take precautionary measures to mitigate this risk by updating to the latest version and monitoring plugin usage.

Affected Version(s)

Event Monster – Event Management, Tickets Booking, Upcoming Event * <= 1.3.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/event-monster/...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 30, 2024
Vulnerability Reserved
Feb 26, 2024

Credit

Francesco Carlucci