A PHP Object Injection vulnerability in the EventPrime plugin allows authenticated subscribers to execute unauthorized code, posing a severe risk to the application.

This vulnerability involves PHP Object Injection triggered by a subscriber-level authenticated user. The flaw allows an attacker to manipulate serialized objects, which can lead to remote code execution or other unauthorized backend operations.

With a CVSS score of 8.8, this vulnerability represents a significant threat to the confidentiality, integrity, and availability of the host system. Successful exploitation by a malicious subscriber could result in full site compromise, privilege escalation, and unauthorized access to sensitive event data.

Immediate Action: Apply the vendor-supplied security update immediately to patch the object injection vulnerability.

Proactive Monitoring: Review application access logs for suspicious serialized strings or unusual POST requests originating from subscriber-level accounts.

Compensating Controls: Utilize a WAF to block common PHP object injection payloads and restrict administrative/privileged functions to verified IP ranges where possible.

Public Exploit Available: false

The risk of remote code execution via object injection is substantial. Security teams must ensure all instances of the EventPrime plugin are updated to the latest secure version immediately to prevent unauthorized code execution.