CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26967 – WordPress Events Calendar for GeoDirectory plugin <= 2.3.14 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-26967
23 Feb 2025 — Deserialization of Untrusted Data vulnerability in Stiofan Events Calendar for GeoDirectory allows Object Injection. This issue affects Events Calendar for GeoDirectory: from n/a through 2.3.14. The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.3.14 via deserialization of untrusted input. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is p... • https://patchstack.com/database/wordpress/plugin/events-for-geodirectory/vulnerability/wordpress-events-calendar-for-geodirectory-plugin-2-3-14-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •