CVE-2026-42687

Vulnerability

The EventPrime plugin for WordPress, versions 4.3.2.1 and earlier, contains an unauthenticated PHP Object Injection vulnerability [1]. The flaw is triggered when user-supplied input is passed to an unserialize() call in the plugin's code, which does not require authentication to reach. Any website running EventPrime up to version 4.3.2.1 is affected [1].

Exploitation

An attacker can exploit this vulnerability remotely without needing any authentication or prior access to the target site [1]. The attacker sends a specially crafted HTTP request containing a serialized PHP object to the vulnerable endpoint. The plugin's code unserializes the input, and if a suitable POP (Property Oriented Programming) chain exists in the loaded PHP classes (within the plugin or other active plugins/themes), the attacker can trigger arbitrary code execution or other malicious actions [1].

Impact

Successful exploitation of this PHP Object Injection vulnerability could lead to severe consequences, including remote code execution, SQL injection, path traversal, and denial of service [1]. The exact impact depends on the available POP gadgets in the WordPress environment, but the vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vulnerability is fixed in EventPrime version 4.3.2.2 [1]. Users are strongly advised to update to this version or later immediately. If updating is not possible, users can apply a virtual patch or mitigation rule provided by Patchstack to block attacks until the plugin is updated [1]. The vulnerability is listed as expected to be exploited, so prompt action is critical [1].