An unauthenticated PHP object injection vulnerability in the EventPrime plugin allows remote attackers to execute arbitrary code, creating an immediate risk of full site compromise.

This is a critical PHP object injection vulnerability that does not require prior authentication. Attackers can trigger the flaw via crafted requests to the application.

Because this vulnerability is exploitable by unauthenticated attackers, it carries a significantly higher risk than authenticated-only flaws. Successful exploitation leads to remote code execution, enabling attackers to steal sensitive data, modify content, or install backdoors, justifying its high-severity classification.

Immediate Action: Update the EventPrime plugin to the latest patched version immediately.

Proactive Monitoring: Monitor web server logs for suspicious traffic patterns or malformed requests targeting the EventPrime plugin endpoints.

Compensating Controls: Employ a WAF with specific rules to detect and drop malicious serialized objects targeting WordPress plugins.

Public Exploit Available: false

This vulnerability is particularly dangerous due to the lack of an authentication requirement. All organizations utilizing EventPrime must treat this as a high-priority remediation task and apply the update immediately to prevent unauthorized access.