How is CVE-2026-39532 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS. Authentication (required): A low-privilege WordPress account at Contributor level or above is sufficient; no administrative credentials are needed. Victim interaction (not-required): No user interaction is required; the attacker can trigger the injection directly without social engineering or victim participation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.

What is the impact of CVE-2026-39532?

Reads sensitive WordPress data including user records, session tokens, and plugin configuration stored in the database. Modifies or deletes persisted site content, database rows, and plugin state, enabling defacement or data corruption. Crashes or degrades the affected WordPress service, causing availability disruption for site visitors and administrators. Depending on available PHP deserialization gadget chains in the environment, the injection may chain to remote code execution on the container host.

Back to search

HIGHCVE-2026-39532Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39532: WordPress Events Calendar for GeoDirectory plugin <= 2.3.25 - PHP Object Injection vulnerability

Q: What is CVE-2026-39532?

PHP Object Injection vulnerability in the Events Calendar for GeoDirectory WordPress plugin affects all versions up to and including 2.3.25. The flaw is reachable over the network and requires only a low-privilege (Contributor-level) WordPress account, with no additional interaction needed. Successful exploitation allows an attacker to read sensitive data, tamper with site content or stored data, and disrupt service availability. HarborGuard tracks the upstream advisory and will make a patched-image rebuild available the moment a fix version is published.

Q: Is CVE-2026-39532 patched?

Because no fix version has been published for CVE-2026-39532, HarborGuard re-checks the upstream advisory each ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Contributor PHP Object Injection in Events Calendar for GeoDirectory <= 2.3.25 versions.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection vulnerability in the Events Calendar for GeoDirectory WordPress plugin affects all versions up to and including 2.3.25. The flaw is reachable over the network and requires only a low-privilege (Contributor-level) WordPress account, with no additional interaction needed. Successful exploitation allows an attacker to read sensitive data, tamper with site content or stored data, and disrupt service availability. HarborGuard tracks the upstream advisory and will make a patched-image rebuild available the moment a fix version is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-39532 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, NVD, and vendor advisories. Coverage extends to custom-built container images that bundle this WordPress plugin, not only images pulled from public registries.

Available

Triage

Triage is available using the CVSS 3.1 base score of 8.8 (HIGH), with per-environment compliance policy weighting applied to prioritize findings according to each customer organization's risk thresholds. Routed alerts are directed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

Because no fix version has been published for CVE-2026-39532, HarborGuard re-checks the upstream advisory each ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS.
AuthenticationRequired
A low-privilege WordPress account at Contributor level or above is sufficient; no administrative credentials are needed.
Victim interactionNot required
No user interaction is required; the attacker can trigger the injection directly without social engineering or victim participation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.

Blast Radius

Reads sensitive WordPress data including user records, session tokens, and plugin configuration stored in the database.
Modifies or deletes persisted site content, database rows, and plugin state, enabling defacement or data corruption.
Crashes or degrades the affected WordPress service, causing availability disruption for site visitors and administrators.
Depending on available PHP deserialization gadget chains in the environment, the injection may chain to remote code execution on the container host.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the upstream Patchstack advisory for CVE-2026-39532 across all customer images that include the Events Calendar for GeoDirectory plugin at versions 2.3.25 and below. Because no patch has been released, HarborGuard re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild automatically once the maintainer publishes a fix. In the interim, customers can apply compensating controls available through HarborGuard policy enforcement: network-policy isolation to restrict inbound access to WordPress instances carrying this plugin, egress filtering to limit outbound connections a deserialized payload could initiate, and feature-flag gating to disable the affected plugin functionality where operationally feasible. For customers who opt into auto-remediation, a rebuild, regression test run, and PR against affected workloads will be opened without manual steps the moment a fix version is confirmed upstream.

See how HarborGuard automates this

Affected packages

Stiofan / Events Calendar for GeoDirectory
≤ 2.3.25

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified