Refine your search

1 vulnerability found for The Events Calendar Pro by theeventscalendar

CVE-2024-8016 (GCVE-0-2024-8016)
Vulnerability from cvelistv5
Published
2024-08-30 06:52
Modified
2026-04-08 16:45
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-502 - Deserialization of Untrusted Data
Summary
The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely. In certain configurations, this can be exploitable by lower level users. We confirmed that this plugin installed with Elementor makes it possible for users with contributor-level access and above to exploit this issue.
References
Impacted products
Vendor Product Version
theeventscalendar The Events Calendar Pro Version: 0    7.0.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:theeventscalendar:events_calendar_pro:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "events_calendar_pro",
            "vendor": "theeventscalendar",
            "versions": [
              {
                "lessThanOrEqual": "7.0.2",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8016",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-30T14:50:02.769314Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-30T14:50:48.923Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "The Events Calendar Pro",
          "vendor": "theeventscalendar",
          "versions": [
            {
              "lessThanOrEqual": "7.0.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Istv\u00e1n M\u00e1rton"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the \u0027filters\u0027 parameter in widgets. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely. In certain configurations, this can be exploitable by lower level users. We confirmed that this plugin installed with Elementor makes it possible for users with contributor-level access and above to exploit this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:45:51.529Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34f0e5a6-0bd3-4734-b7e0-27dc825d193f?source=cve"
        },
        {
          "url": "https://theeventscalendar.com/release-notes/events-calendar-pro/events-calendar-pro-7-0-2-1/"
        },
        {
          "url": "https://theeventscalendar.com/blog/news/important-security-update-for-the-events-calendar-pro/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-08-20T00:00:00.000Z",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2024-08-20T00:00:00.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2024-08-29T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "The Events Calendar Pro \u003c= 7.0.2 - Authenticated (Administrator+) PHP Object Injection to Remote Code Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-8016",
    "datePublished": "2024-08-30T06:52:15.737Z",
    "dateReserved": "2024-08-20T16:45:51.132Z",
    "dateUpdated": "2026-04-08T16:45:51.529Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}