← Back

CVE-2024-8016

nvd nist
Published: Aug 30, 2024Modified: Jun 17, 2026

JSON object

Loading...
7.2
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.2 / Impact: 5.9
Source: NVD

Description

The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely. In certain configurations, this can be exploitable by lower level users. We confirmed that this plugin installed with Elementor makes it possible for users with contributor-level access and above to exploit this issue.

Affected (1)

Theeventscalendar
1 product
Events Calendar Pro
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Events Calendar Pro
Before 7.0.2.1

Related CWEs

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (3)

Source: security@wordfence.com
Vendor Advisory
Source: security@wordfence.com
Release Notes
Source: security@wordfence.com
Third Party Advisory

Timeline

No history available yet.