CVE-2026-39532

Vulnerability

A PHP Object Injection vulnerability exists in the Events Calendar for GeoDirectory plugin for WordPress, affecting versions up to and including 2.3.25 [1]. The flaw arises from unsafe deserialization of user-supplied input, allowing a remote attacker to inject arbitrary PHP objects. No authentication is required, and the attack is triggerable via HTTP requests that include a malicious serialized payload [1].

Exploitation

An unauthenticated attacker can exploit the vulnerability by sending a crafted HTTP request to a vulnerable site running Events Calendar for GeoDirectory <=2.3.25 [1]. The attacker does not need any special privileges or user interaction; the request alone triggers the deserialization of the malicious payload. If a suitable POP (Property Oriented Programming) gadget chain is present in the WordPress environment (e.g., via installed plugins or themes), the attacker can achieve arbitrary code execution [1].

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the server, which can lead to full site compromise [1]. Depending on the available POP gadgets, the attacker may also be able to perform SQL injection, path traversal, denial of service, or other actions. The CVSS v3 score of 8.8 (High) reflects the broad potential impact and low complexity of the attack [1].

Mitigation

The vendor has released version 2.3.26, which fixes the vulnerability by properly sanitizing deserialized data [1]. Users should update to this version immediately as a primary mitigation. For those unable to update immediately, Patchstack provides a virtual mitigation rule to block attacks until the plugin is updated [1]. No workaround other than disabling the plugin is currently available if patching is not possible. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.