Login Sign Up

CVE-2024-8016

9.1 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

The Events Calendar Pro WordPress plugin is vulnerable to PHP object injection through deserialization of untrusted input in the 'filters' parameter. This allows authenticated attackers with administrator access (or contributor access when Elementor is installed) to execute arbitrary code. All versions up to 7.0.2 are affected.

💻 Affected Systems

Products:
  • The Events Calendar Pro WordPress plugin
Versions: All versions up to and including 7.0.2
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: When installed with Elementor, vulnerability becomes exploitable by users with contributor-level access and above.

📦 What is this software?

Events Calendar Pro by Theeventscalendar

View all CVEs affecting Events Calendar Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, malware deployment, or complete site takeover via remote code execution.

🟠

Likely Case

Unauthorized code execution leading to backdoor installation, data exfiltration, or site defacement.

🟢

If Mitigated

Limited impact if proper access controls and network segmentation prevent exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access (admin by default, contributor+ with Elementor). POP chain presence enables RCE.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.2.1

Vendor Advisory: https://theeventscalendar.com/blog/news/important-security-update-for-the-events-calendar-pro/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'The Events Calendar Pro' and click 'Update Now'. 4. Verify version is 7.0.2.1 or higher.

🔧 Temporary Workarounds

Disable vulnerable widgets

all

Remove or disable widgets using the 'filters' parameter to prevent exploitation.

Restrict user roles

all

Temporarily limit administrator and contributor access to essential personnel only.

🧯 If You Can't Patch

  • Disable The Events Calendar Pro plugin entirely until patched
  • Implement web application firewall rules to block requests containing suspicious serialized data

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin panel under Plugins → Installed Plugins.

Check Version:

wp plugin list --name='The Events Calendar Pro' --field=version

Verify Fix Applied:

Confirm plugin version is 7.0.2.1 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

  • POST requests to widget endpoints containing serialized data in 'filters' parameter
  • Unusual PHP process execution from web user context

Network Indicators:

  • HTTP requests with base64-encoded or serialized data in parameters

SIEM Query:

source="web_logs" AND (uri_path="*widget*" OR uri_path="*admin-ajax*") AND (param="filters" AND value="*O:*")

📊 Metadata

CVE ID: CVE-2024-8016
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-502
Published: August 30, 2024
Last Updated: September 3, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8016, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)