WpEvently 5.1.1 and earlier allows malicious code execution

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.8

WpEvently 5.1.1 and earlier allows malicious code execution

CVE-2026-23549

Summary

An attacker can inject malicious code into the WpEvently plugin on your WordPress site, potentially allowing them to access or modify sensitive data. This issue affects versions of WpEvently up to 5.1.1. To protect your site, update to a patched version of WpEvently as soon as possible.

Original title

Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.1.1.

Original description

Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.1.1.

nvd CVSS3.1 9.8

Vulnerability type

CWE-502 Deserialization of Untrusted Data

https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/w...

Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026