PatchSiren cyber security CVE debrief
CVE-2026-39532 Stiofan CVE debrief
A high-severity vulnerability, CVE-2026-39532, was discovered in the Events Calendar for GeoDirectory plugin, version 2.3.25 and below. This vulnerability allows contributors to inject PHP objects, potentially leading to code execution, data breaches, or other malicious activities.
- Vendor
- Stiofan
- Product
- Events Calendar for GeoDirectory
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of the Events Calendar for GeoDirectory plugin, version 2.3.25 and below, should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The vulnerability, with a CVSS score of 8.8, is caused by inadequate input validation and sanitization, allowing an attacker to inject malicious PHP objects. The Common Weakness Enumeration (CWE) for this vulnerability is CWE-502.
Defensive priority
High
Recommended defensive actions
- Update the Events Calendar for GeoDirectory plugin to a version that is not vulnerable.
- Restrict access to the plugin's functionality to trusted users only.
- Monitor the plugin's logs for suspicious activity.
Evidence notes
The vulnerability was reported by Patchstack and is publicly listed on the CVE website.
Official resources
-
CVE-2026-39532 CVE record
CVE.org
-
CVE-2026-39532 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39532 was published on 2026-06-15T21:16:47.070Z and modified on 2026-06-15T21:24:32.790Z.