CVE-2024-24796
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code via PHP object injection due to unsafe deserialization in the WpEvently WordPress plugin. It affects all WordPress sites running the plugin version 4.1.1 or earlier. Attackers can exploit this without authentication to gain control of affected websites.
💻 Affected Systems
- Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete website compromise leading to data theft, malware installation, defacement, or use as part of a botnet.
Likely Case
Remote code execution allowing attackers to create administrative accounts, install backdoors, or steal sensitive data.
If Mitigated
Limited impact if proper web application firewalls and input validation are in place, though risk remains significant.
🎯 Exploit Status
Exploitation requires sending specially crafted requests to vulnerable endpoints. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.2 or later
Vendor Advisory: https://patchstack.com/database/vulnerability/mage-eventpress/wordpress-wpevently-plugin-4-1-1-php-object-injection-vulnerability
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WpEvently' plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 4.1.2+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate mage-eventpress
Web Application Firewall Rule
allBlock requests containing serialized PHP objects to vulnerable endpoints.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user inputs
- Deploy a web application firewall with rules to detect and block deserialization attacks
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → WpEvently version. If version is 4.1.1 or earlier, you are vulnerable.Check Version:
wp plugin get mage-eventpress --field=versionVerify Fix Applied:
Verify plugin version is 4.1.2 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin-ajax.php with serialized data
- Unexpected file creation or modification in wp-content/plugins/mage-eventpress
Network Indicators:
- HTTP requests containing serialized PHP objects (O: or C: patterns) to vulnerable endpoints
SIEM Query:
source="web_logs" AND (uri="/wp-admin/admin-ajax.php" OR uri="/wp-content/plugins/mage-eventpress") AND (body MATCHES "O:[0-9]+" OR body MATCHES "C:[0-9]+")