Login Sign Up

CVE-2025-26967

8.8 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Events Calendar for GeoDirectory WordPress plugin. Successful exploitation could lead to remote code execution or data manipulation. All WordPress sites using affected plugin versions are vulnerable.

💻 Affected Systems

Products:
  • Events Calendar for GeoDirectory WordPress Plugin
Versions: All versions up to and including 2.3.14
Operating Systems: All platforms running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin enabled.

📦 What is this software?

Events Calendar* by Wpgeodirectory

View all CVEs affecting Events Calendar* →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Unauthorized data access, privilege escalation, or website defacement.

🟢

If Mitigated

Limited impact with proper input validation and security controls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Deserialization vulnerabilities are commonly exploited and weaponization is likely given the high CVSS score.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.15 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/events-for-geodirectory/vulnerability/wordpress-events-calendar-for-geodirectory-plugin-2-3-14-php-object-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'Events Calendar for GeoDirectory'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.3.15+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate events-for-geodirectory

Web Application Firewall Rule

all

Block deserialization attempts at WAF level.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs
  • Deploy web application firewall with deserialization attack detection

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Events Calendar for GeoDirectory version number.

Check Version:

wp plugin get events-for-geodirectory --field=version

Verify Fix Applied:

Confirm plugin version is 2.3.15 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to plugin endpoints
  • PHP object injection patterns in logs
  • Unexpected file writes or process execution

Network Indicators:

  • HTTP requests with serialized objects in parameters
  • Traffic to known exploit paths

SIEM Query:

source="web_logs" AND (uri="*geodirectory*" OR uri="*events*" OR uri="*calendar*") AND (method="POST" OR method="PUT") AND (param="*serialize*" OR param="*unserialize*" OR data="*O:*" OR data="*C:*")

📊 Metadata

CVE ID: CVE-2025-26967
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
EPSS Score: 0.23% exploit probability (45.1th percentile)
Published: March 3, 2025
Last Updated: March 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26967, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)