A high-severity Untrusted Data Deserialization vulnerability in the WpEvently WordPress plugin could allow an attacker to perform an Object Injection attack, potentially leading to arbitrary code execution and a full server compromise.

The plugin is vulnerable to Deserialization of Untrusted Data. This occurs when the application deserializes user-supplied data without proper validation. An attacker can provide a malicious serialized object that, when processed, can trigger arbitrary code execution, file manipulation, or other dangerous actions on the server. Authentication requirements are not specified but the high CVSS suggests it may be accessible to low-privileged users.

Rated 8.8 (High) on the CVSS scale, this is a critical-risk vulnerability. Successful exploitation of an object injection flaw often results in Remote Code Execution (RCE). This would give an attacker complete control over the web application, allowing them to steal all website data, compromise the underlying server, and use it to attack other systems.

Immediate Action: Immediately update the WpEvently plugin to the latest patched version. If a patch is unavailable, the plugin must be disabled and uninstalled to prevent exploitation.

Proactive Monitoring: Monitor web server logs for unusually long or complex strings in request data, which can be indicative of serialized object payloads. Use file integrity monitoring to detect unauthorized changes to website files.

Compensating Controls: A Web Application Firewall (WAF) may be able to detect and block known object injection payloads, but this is not a substitute for patching. Hardening PHP configurations can limit the impact of some post-exploitation activities.

Public Exploit Available: false

This vulnerability represents a direct path to server compromise and must be treated with the highest urgency. The risk of Remote Code Execution is severe. Administrators are strongly advised to patch or remove the vulnerable WpEvently plugin immediately to protect their web server.