A PHP object injection vulnerability in the Events Calendar for GeoDirectory plugin allows authenticated contributors to achieve remote code execution, posing a significant risk to site integrity.

This is a PHP object injection vulnerability caused by insecure deserialization of user input. The vulnerability is exploitable by authenticated users holding 'Contributor' capabilities.

Successful exploitation allows for arbitrary code execution, which can lead to the compromise of sensitive database information and full administrative control over the WordPress instance. Given the CVSS score of 8.8, this represents a critical threat to organizational security and data protection.

Immediate Action: Ensure the Events Calendar for GeoDirectory plugin is updated to the latest version provided by the vendor.

Proactive Monitoring: Monitor system logs for unauthorized script execution attempts and audit WordPress user roles to ensure the 'Contributor' role is restricted appropriately.

Compensating Controls: Implement a WAF to inspect and block malicious serialized PHP payloads before they reach the application layer.

Public Exploit Available: false

Given the potential for remote code execution, administrators should prioritize updating this plugin immediately. Organizations should verify if the functionality is essential and, if not, consider removing the plugin to reduce the attack surface.