CVE-2025-26967
Published: 03 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-26967 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Events Calendar for GeoDirectory WordPress plugin by Stiofan, which allows Object Injection. The issue affects the plugin in all versions from n/a through 2.3.14.
Attackers with low privileges (PR:L), such as authenticated users, can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), without changing scope (S:U). Successful exploitation can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in the CVSS v3.1 base score of 8.8.
The Patchstack advisory provides further details on the vulnerability, including mitigation guidance, at https://patchstack.com/database/Wordpress/Plugin/events-for-geodirectory/vulnerability/wordpress-events-calendar-for-geodirectory-plugin-2-3-14-php-object-injection-vulnerability?_s_id=cve.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Deserialization/object injection vulnerability in public-facing WordPress plugin allows low-privilege authenticated users to achieve high C/I/A impact, directly mapping to exploitation of public-facing applications (T1190) and exploitation for privilege escalation (T1068).