CVE-2024-8016

The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely. In certain configurations, this can be exploitable by lower level users. We confirmed that this plugin installed with Elementor makes it possible for users with contributor-level access and above to exploit this issue.
Configurations

Configuration 1 (hide)

cpe:2.3:a:theeventscalendar:events_calendar_pro:*:*:*:*:*:wordpress:*:*

History

03 Sep 2024, 14:51

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.1
v2 : unknown
v3 : 7.2
First Time Theeventscalendar
Theeventscalendar events Calendar Pro
CPE cpe:2.3:a:theeventscalendar:events_calendar_pro:*:*:*:*:*:wordpress:*:*
Summary
  • (es) El complemento Events Calendar Pro para WordPress es vulnerable a la inyección de objetos PHP en todas las versiones hasta la 7.0.2 incluida, a través de la deserialización de la entrada no confiable del parámetro "filtros" en los widgets. Esto hace posible que los atacantes autenticados, con acceso de nivel de administrador y superior, inyecten un objeto PHP. La presencia adicional de una cadena POP permite a los atacantes ejecutar código de forma remota. En ciertas configuraciones, esto puede ser explotado por usuarios de nivel inferior. Confirmamos que este complemento instalado con Elementor hace posible que los usuarios con acceso de nivel de colaborador y superior exploten este problema.
References () https://theeventscalendar.com/blog/news/important-security-update-for-the-events-calendar-pro/ - () https://theeventscalendar.com/blog/news/important-security-update-for-the-events-calendar-pro/ - Vendor Advisory
References () https://theeventscalendar.com/release-notes/events-calendar-pro/events-calendar-pro-7-0-2-1/ - () https://theeventscalendar.com/release-notes/events-calendar-pro/events-calendar-pro-7-0-2-1/ - Release Notes
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/34f0e5a6-0bd3-4734-b7e0-27dc825d193f?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/34f0e5a6-0bd3-4734-b7e0-27dc825d193f?source=cve - Third Party Advisory

30 Aug 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-30 07:15

Updated : 2024-09-03 14:51


NVD link : CVE-2024-8016

Mitre link : CVE-2024-8016

CVE.ORG link : CVE-2024-8016


JSON object : View

Products Affected

theeventscalendar

  • events_calendar_pro
CWE
CWE-502

Deserialization of Untrusted Data