CVE-2024-1895: 
WordPress vulnerability analysis and mitigation

The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress contains a PHP Object Injection vulnerability (CVE-2024-1895) affecting all versions up to and including 1.3.4. The vulnerability was discovered and reported by Wordfence, with initial disclosure on April 30, 2024 (Wordfence Report).

The vulnerability exists in the shortcode functionality where untrusted input from a custom meta value is deserialized without proper validation. This implementation flaw has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (Wordfence Report).

While no POP (Property-Oriented Programming) chain is present in the vulnerable plugin itself, if a POP chain exists via additional plugins or themes installed on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute arbitrary code on the affected system (NVD).

Site administrators running vulnerable versions of the Event Monster plugin should update to a patched version when available or consider removing the plugin if immediate mitigation is required (NVD).