CVE-2025-54742
Published: 28 August 2025
Summary
CVE-2025-54742 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-54742 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the WpEvently WordPress plugin by magepeopleteam, also known as mage-eventpress. The flaw enables Object Injection and affects all versions from n/a through 4.4.8.
With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited remotely by an authenticated attacker with low privileges, such as a standard registered WordPress user. Exploitation requires low complexity and no user interaction, potentially allowing the attacker to achieve high impacts on confidentiality, integrity, and availability through malicious object deserialization.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-4-4-8-php-object-injection-vulnerability?_s_id=cve provides further details on the vulnerability and mitigation recommendations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25969
Vulnerability details
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.4.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe PHP deserialization (object injection) in a public-facing WordPress plugin directly enables remote exploitation by an authenticated attacker, matching T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-54742 by requiring timely remediation through patching the deserialization flaw in WpEvently plugin versions <=4.4.8.
Prevents object injection by validating and sanitizing untrusted inputs before deserialization, addressing the core CWE-502 vulnerability.
Identifies the deserialization vulnerability in the WpEvently plugin through regular vulnerability scanning, enabling proactive remediation.