Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-32145

CVE-2025-32145: WpEvently Object Injection Vulnerability

CVE-2025-32145 is an object injection flaw in WpEvently mage-eventpress plugin caused by deserialization of untrusted data. This vulnerability affects versions up to 4.3.6 and can allow attackers to manipulate objects.

Published:

CVE-2025-32145 Overview

CVE-2025-32145 is a PHP Object Injection vulnerability in the WpEvently plugin (mage-eventpress) developed by magepeopleteam for WordPress. The flaw stems from deserialization of untrusted data [CWE-502] and affects all plugin versions up to and including 4.3.6. An authenticated attacker with low privileges can submit crafted serialized payloads that the plugin deserializes, triggering object injection. Successful exploitation can lead to remote code execution, file manipulation, or full site compromise depending on PHP magic methods available in the application context.

Critical Impact

Authenticated attackers can inject malicious PHP objects to compromise confidentiality, integrity, and availability of affected WordPress sites running WpEvently 4.3.6 or earlier.

Affected Products

  • WpEvently plugin (mage-eventpress) for WordPress, all versions through 4.3.6
  • WordPress sites with the WpEvently plugin installed and activated
  • Hosting environments running PHP with vulnerable WpEvently deserialization paths exposed

Discovery Timeline

  • 2025-04-10 - CVE-2025-32145 published to the National Vulnerability Database
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-32145

Vulnerability Analysis

The WpEvently plugin processes serialized PHP data from untrusted input without sufficient validation. When unserialize() operates on attacker-controlled data, PHP instantiates arbitrary objects and invokes magic methods such as __wakeup(), __destruct(), or __toString(). This behavior enables PHP Object Injection (POI), a class of insecure deserialization issue tracked under [CWE-502].

Exploitation typically chains existing classes loaded by WordPress core, the plugin itself, or other active plugins to form a property-oriented programming (POP) gadget chain. The resulting actions can include arbitrary file writes, SQL execution, or remote code execution depending on the gadget surface available at runtime.

The attacker requires authenticated access with low privileges, but no user interaction is needed. The attack is delivered over the network against the plugin endpoint that performs deserialization.

Root Cause

The root cause is the plugin passing attacker-influenced input directly to PHP's unserialize() function. The code does not validate, sign, or restrict the object types permitted during deserialization, allowing instantiation of any class available in the runtime.

Attack Vector

An authenticated user submits a request containing a serialized payload to a vulnerable WpEvently handler. The plugin deserializes the payload, triggering magic methods on injected objects. Refer to the Patchstack Vulnerability Advisory for advisory details. No public proof-of-concept exploit code is available in the enriched data, so a sanitized exploitation example is not provided.

Detection Methods for CVE-2025-32145

Indicators of Compromise

  • HTTP requests to WpEvently endpoints containing serialized PHP markers such as O:, a:, s:, or C: in POST bodies or query parameters
  • Unexpected creation or modification of PHP files under wp-content/uploads/ or plugin directories following plugin requests
  • Outbound network connections initiated by the PHP worker process after WpEvently form submissions
  • New or modified WordPress administrator accounts following authenticated user activity from non-admin roles

Detection Strategies

  • Inspect WordPress access logs for POST requests to WpEvently AJAX or REST endpoints containing serialized object signatures
  • Monitor PHP error logs for __wakeup, __destruct, or class instantiation errors correlating with WpEvently activity
  • Deploy a Web Application Firewall (WAF) rule blocking serialized PHP object patterns in request bodies destined for the plugin
  • Audit file integrity on the WordPress installation to detect webshells or modified plugin code

Monitoring Recommendations

  • Enable verbose logging on the WpEvently plugin endpoints and forward logs to a centralized SIEM
  • Alert on authenticated low-privilege accounts submitting payloads matching PHP serialization grammar
  • Correlate plugin requests with subsequent process executions such as php, sh, or outbound curl activity

How to Mitigate CVE-2025-32145

Immediate Actions Required

  • Update the WpEvently plugin to a version newer than 4.3.6 once the vendor publishes a fixed release
  • Restrict access to WpEvently administrative and event management endpoints to trusted users only
  • Audit existing WordPress user accounts and remove unused low-privilege accounts that could be abused for authenticated exploitation
  • Apply virtual patching at the WAF layer to block serialized PHP payloads targeting the plugin

Patch Information

At the time of publication, the vulnerability affects WpEvently versions up to and including 4.3.6. Consult the Patchstack Vulnerability Advisory for the latest fixed version information from magepeopleteam.

Workarounds

  • Deactivate and remove the WpEvently plugin until a patched version is installed
  • Configure a WAF rule to reject requests containing serialized PHP object patterns (O:[0-9]+:) to the plugin path
  • Use disable_functions in php.ini to restrict dangerous functions reachable via gadget chains where compatible with site functionality
bash
# Example WAF rule (ModSecurity) to block serialized PHP objects in plugin requests
SecRule REQUEST_URI "@contains /wp-content/plugins/mage-eventpress/" \
  "chain,id:1003214,phase:2,deny,status:403,log,msg:'Possible PHP Object Injection - CVE-2025-32145'"
  SecRule ARGS|REQUEST_BODY "@rx O:[0-9]+:\"[a-zA-Z_\\\\]+\":[0-9]+:" "t:none"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne