{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68047", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:07.754Z", "datePublished": "2026-01-22T16:52:06.124Z", "dateUpdated": "2026-04-28T19:56:58.706Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-event-solution", "product": "Eventin", "vendor": "Arraytics", "versions": [{"changes": [{"at": "4.1.4", "status": "unaffected"}], "lessThanOrEqual": "4.1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "w41bu1 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:46.964Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.<p>This issue affects Eventin: from n/a through <= 4.1.3.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.1.3."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.571Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-52-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Eventin plugin <= 4.1.3 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T17:21:37.048754Z", "id": "CVE-2025-68047", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:56:58.706Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68047", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-28T17:21:37.048754Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T17:21:33.671Z"}}], "cna": {"title": "WordPress Eventin plugin <= 4.1.3 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "w41bu1 | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Arraytics", "product": "Eventin", "versions": [{"status": "affected", "changes": [{"at": "4.1.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.1.3"}], "packageName": "wp-event-solution", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:02:46.964Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-52-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.1.3.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.<p>This issue affects Eventin: from n/a through <= 4.1.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.571Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68047", "state": "PUBLISHED", "dateUpdated": "2026-04-28T19:56:58.706Z", "dateReserved": "2025-12-15T10:01:07.754Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:06.124Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.1.3."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Arraytics Eventin wp-event-solution permite la inyecci\u00f3n de objetos. Este problema afecta a Eventin: desde n/a hasta &lt;= 4.1.1."}], "id": "CVE-2025-68047", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-22T17:16:09.503", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-52-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:18:43.305618+00:00", "value": {"mitigation_remediation": ["Upgrade the Eventin plugin to version 4.1.4 or later.", "Verify that all legacy plugin files have been removed from the installation directory.", "Restrict access to the plugin\u2019s administrative interface and consider disabling the plugin on production environments until the update is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the WordPress Eventin plugin (wp-event-solution) from any version through 4.1.3 inclusive. WordPress sites that have installed this plugin, regardless of their WordPress core version, are therefore potentially affected.", "description_and_impact": "Deserialization of untrusted data in the Arraytics Eventin WordPress plugin enables PHP Object Injection, which can allow an attacker to supply a crafted object payload that is unserialized by the plugin. This flaw can lead to arbitrary code execution on the web server hosting the WordPress site, providing full control over the compromised site. The weakness is classified as CWE-502, a deserialization issue that permits injection of malicious objects.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity for this flaw. The EPSS score of less than 1% suggests that, at the time of assessment, exploitation is considered uncommon, yet the risk remains significant due to the potential impact of remote code execution. The vulnerability is not listed in the CISA KEV catalog. While the description does not specify the precise invocation method, it is inferred that an attacker could trigger the flaw through a crafted web request that the plugin processes, implying a remote attack vector. Successful exploitation would grant the attacker the privileges of the WordPress user executing the request, potentially escalating to full site compromise."}}}}, "created": "2026-01-23T16:29:57.076060+00:00", "updated": "2026-04-27T21:30:13.882515+00:00", "vendors": ["arraytics", "arraytics$PRODUCT$eventin", "wordpress", "wordpress$PRODUCT$wordpress"]}