The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely. In certain configurations, this can be exploitable by lower level users. We confirmed that this plugin installed with Elementor makes it possible for users with contributor-level access and above to exploit this issue.
References
Configurations
History
03 Sep 2024, 14:51
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
References | () https://theeventscalendar.com/blog/news/important-security-update-for-the-events-calendar-pro/ - Vendor Advisory | |
References | () https://theeventscalendar.com/release-notes/events-calendar-pro/events-calendar-pro-7-0-2-1/ - Release Notes | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/34f0e5a6-0bd3-4734-b7e0-27dc825d193f?source=cve - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
First Time |
Theeventscalendar
Theeventscalendar events Calendar Pro |
|
CPE | cpe:2.3:a:theeventscalendar:events_calendar_pro:*:*:*:*:*:wordpress:*:* |
30 Aug 2024, 07:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-30 07:15
Updated : 2024-09-03 14:51
NVD link : CVE-2024-8016
Mitre link : CVE-2024-8016
CVE.ORG link : CVE-2024-8016
JSON object : View
Products Affected
theeventscalendar
- events_calendar_pro
CWE
CWE-502
Deserialization of Untrusted Data