How is CVE-2026-42687 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the target WordPress instance via HTTP/HTTPS. Authentication (not-required): No account or session credential of any kind is needed; the attacker sends a crafted unauthenticated request to trigger unserialization. Victim interaction (not-required): Exploitation is entirely server-side; no user action such as clicking a link or opening a file is involved. Attack complexity (info): Attack complexity is high because successful exploitation depends on the presence of a suitable PHP gadget chain in the target environment, introducing environmental factors outside the attacker's direct control.

What is the impact of CVE-2026-42687?

Reads sensitive data stored in the WordPress database, including user credentials, session tokens, and plugin configuration. Modifies or deletes persisted database rows and filesystem content, including posts, options, and uploaded files. Executes arbitrary code on the server if a suitable gadget chain is available, giving full operating-system-level access. Crashes or destabilizes the PHP process, taking down the WordPress site and any co-hosted services.

Back to search

HIGHCVE-2026-42687Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-42687: WordPress EventPrime plugin <= 4.3.2.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-42687?

PHP Object Injection is a vulnerability in the EventPrime WordPress plugin (versions 4.3.2.1 and earlier) where attacker-controlled data is passed to PHP's unserialization functions without validation. The vulnerability is reachable over the network and requires no authentication, though exploitation depends on environmental conditions such as the presence of a usable gadget chain in the PHP class hierarchy. Successful exploitation gives an attacker full read access to sensitive data, the ability to modify stored content, and the ability to crash or destabilize the affected service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-42687 patched?

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated version. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads as soon as that rebuild becomes available.

Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability in the EventPrime WordPress plugin (versions 4.3.2.1 and earlier) where attacker-controlled data is passed to PHP's unserialization functions without validation. The vulnerability is reachable over the network and requires no authentication, though exploitation depends on environmental conditions such as the presence of a usable gadget chain in the PHP class hierarchy. Successful exploitation gives an attacker full read access to sensitive data, the ability to modify stored content, and the ability to crash or destabilize the affected service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle the EventPrime plugin.

Available

Triage

HarborGuard scores this vulnerability at 8.1 HIGH (CVSS v3.1) and applies per-environment compliance policy weighting to determine urgency before routing the finding to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated version. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads as soon as that rebuild becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the target WordPress instance via HTTP/HTTPS.
AuthenticationNot required
No account or session credential of any kind is needed; the attacker sends a crafted unauthenticated request to trigger unserialization.
Victim interactionNot required
Exploitation is entirely server-side; no user action such as clicking a link or opening a file is involved.
Attack complexityDetail
Attack complexity is high because successful exploitation depends on the presence of a suitable PHP gadget chain in the target environment, introducing environmental factors outside the attacker's direct control.

Blast Radius

Reads sensitive data stored in the WordPress database, including user credentials, session tokens, and plugin configuration.
Modifies or deletes persisted database rows and filesystem content, including posts, options, and uploaded files.
Executes arbitrary code on the server if a suitable gadget chain is available, giving full operating-system-level access.
Crashes or destabilizes the PHP process, taking down the WordPress site and any co-hosted services.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-42687 at this time, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild the moment EventPrime ships a remediated release. In the interim, customers can apply compensating controls through HarborGuard policy: network-policy rules that restrict public access to the affected WordPress instance, egress filtering to limit outbound connections from the container in the event of a successful compromise, and feature-flag or plugin-deactivation guidance surfaced through the finding detail pane. For customers with auto-remediation enabled, the full rebuild-plus-regression-test-plus-PR flow will trigger automatically against affected workloads as soon as the upstream fix is available, with median time from CVE patch publication to merged PR running around 90 minutes for HIGH-severity issues in those environments.

See how HarborGuard automates this

Affected packages

EventPrime / EventPrime
≤ 4.3.2.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified