CVE-2024-1895

Name of the Vulnerable Software and Affected Versions The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress versions up to, and including, 1.3.4

Description The issue concerns a PHP Object Injection vulnerability via deserialization of untrusted input from a custom meta value through a shortcode. This allows authenticated attackers with contributor access or higher to inject a PHP Object. If a POP chain is present via an additional plugin or theme, it could enable the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations For versions up to, and including, 1.3.4, update to a patched version if available or remove the plugin to mitigate the risk. As a temporary workaround, consider auditing the plugin code for insecure deserialization and restricting access to sensitive data until a patch is available. Avoid using shortcodes that deserialize untrusted input from custom meta values until the issue is resolved.