{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23549", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-14T08:36:07.869Z", "datePublished": "2026-02-19T08:26:49.962Z", "dateUpdated": "2026-04-28T16:14:46.842Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "mage-eventpress", "product": "WpEvently", "vendor": "magepeopleteam", "versions": [{"changes": [{"at": "5.1.2", "status": "unaffected"}], "lessThanOrEqual": "5.1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:30.375Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.<p>This issue affects WpEvently: from n/a through <= 5.1.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.1.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.842Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-1-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress WpEvently plugin <= 5.1.1 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:23:37.970246Z", "id": "CVE-2026-23549", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:43:48.090Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23549", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T21:23:37.970246Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:22:57.012Z"}}], "cna": {"title": "WordPress WpEvently plugin <= 5.1.1 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "magepeopleteam", "product": "WpEvently", "versions": [{"status": "affected", "changes": [{"at": "5.1.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.1.1"}], "packageName": "mage-eventpress", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:14.517Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-1-1-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.1.1.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.<p>This issue affects WpEvently: from n/a through <= 5.1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:44.396Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23549", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:43:48.090Z", "dateReserved": "2026-01-14T08:36:07.869Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:49.962Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.1.1."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en magepeopleteam WpEvently mage-eventpress permite la inyecci\u00f3n de objetos. Este problema afecta a WpEvently: desde n/a hasta &lt;= 5.1.1."}], "id": "CVE-2026-23549", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:12.927", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-1-1-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.1.2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WpEvently", "source": "cna", "vendor": "magepeopleteam"}, "product": "wpevently", "vendor": "magepeopleteam"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:40:56.903936+00:00", "value": {"mitigation_remediation": ["Upgrade the WpEvently plugin to the latest version (any version above 5.1.1).", "If an immediate upgrade is not possible, restrict access to the plugin\u2019s administrative and front\u2011end interfaces to trusted users only and monitor for suspicious activity.", "Apply generic input validation and output encoding best practices to all plugin endpoints to reduce the risk of future deserialization issues."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WpEvently plugin by magepeopleteam on versions up to and including 5.1.1 are impacted. The vulnerability exists from the initial release of the plugin through 5.1.1, affecting any installation that has not applied a subsequent patch.", "description_and_impact": "This vulnerability arises from deserialization of untrusted data within the WpEvently plugin, allowing an attacker to perform PHP Object Injection. The flaw is classified as CWE-502, leading to potential arbitrary code execution when the plugin processes maliciously crafted input. If exploited, an attacker could take full control of the affected WordPress site, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 9.8 indicates critical severity, while the EPSS score of less than 1% suggests the likelihood of immediate exploitation is currently low and the vulnerability is not in the CISA KEV catalog. However, given its remote code execution nature, successful exploitation would allow an attacker to execute arbitrary code on the server. The likely attack vector is a remote actor sending a specially crafted request to a plugin endpoint that triggers unsafe unserialization. Attackers may need to target authenticated sessions or exploit public-facing forms that the plugin processes."}}}}, "created": "2026-02-20T10:11:17.000480+00:00", "updated": "2026-04-16T06:45:16.317531+00:00", "vendors": ["magepeopleteam", "magepeopleteam$PRODUCT$wpevently", "wordpress", "wordpress$PRODUCT$wordpress"]}