WordPress Event Plugin Vulnerability Puts Sites at Risk – Update WpEvently Now

CVECVE-2024-24796
CVSScvssV3_1: 8.2
SourceCVE-2024-24796

The MagePeople Team Event Manager and Tickets Selling Plugin for WooCommerce called WpEvently, used by many WordPress sites to manage events, has a serious deserialization vulnerability with a CVSS score of 8.2. Deserialization issues occur when untrusted data is deserialized, potentially allowing attackers to execute arbitrary code on the affected system.

In the case of WpEvently, attackers could exploit this to take full control of vulnerable sites. They just need to trick a site administrator or user into visiting a specially crafted URL or opening a file containing malicious serialized PHP objects. Once deserialized, this code would execute with the same privileges as the webserver.

This gives the attacker the ability to do anything the webserver can do like install malware, delete data, or change site contents. They could also use the compromised site to launch attacks on site visitors or other systems on the network.

If you use WpEvently on your WordPress site, you should update to the latest version immediately. Versions before 4.1.1 are vulnerable. You should also check your site for any signs of compromise and contact your host if needed. Staying on top of plugin updates is one of the best ways to keep your site secure.

References