CVE-2026-12378
Received Received - Intake

Unauthenticated PHP Object Injection in Appointment Booking Calendar Plugin

Vulnerability report for CVE-2026-12378, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: WPScan

Description

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bookingpress bookingpress to 1.5.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The vulnerability exists in the BookingPress WordPress plugin version 1.5.5 or earlier. It is caused by the plugin not properly validating input data before passing it to a PHP deserialization function. This flaw allows unauthenticated attackers to inject arbitrary PHP objects into the application.

If the affected site has a suitable gadget chain, this injection can be exploited to achieve remote code execution, meaning an attacker could run malicious code on the server hosting the plugin.

This vulnerability is classified as an insecure deserialization issue, corresponding to CWE-502 and is part of the OWASP Top 10 category A8.

Impact Analysis

This vulnerability can have severe impacts because it allows unauthenticated attackers to execute arbitrary code remotely on the affected server.

  • Attackers could take full control of the server hosting the plugin.
  • They could manipulate or steal sensitive data stored on the server.
  • The server could be used to launch further attacks against other systems.
  • It could lead to website defacement, data loss, or service disruption.
Detection Guidance

This vulnerability involves unauthenticated PHP Object Injection due to improper validation before deserialization in the BookingPress plugin version 1.5.5 or earlier.

Detection typically involves checking the plugin version and monitoring for suspicious PHP deserialization activity or unusual HTTP requests targeting the plugin endpoints.

Since no specific detection commands are provided in the available resources, general steps include:

  • Verify the installed BookingPress plugin version to confirm if it is 1.5.5 or earlier.
  • Use web server logs or intrusion detection systems to look for unusual POST requests or payloads containing serialized PHP objects targeting the plugin.
  • Run commands to check the plugin version, for example, by inspecting the plugin's readme or version file in the WordPress installation directory.
  • Example command to check plugin version on a Linux server hosting WordPress: `grep 'Version' wp-content/plugins/bookingpress/readme.txt` or `cat wp-content/plugins/bookingpress/bookingpress.php | grep 'Version'`.
Mitigation Strategies

As of the last update, no known fix or patch has been released for this vulnerability.

Immediate mitigation steps include:

  • Disable or deactivate the BookingPress plugin if it is version 1.5.5 or earlier until a patch is available.
  • Restrict access to the plugin endpoints by implementing firewall rules or web application firewall (WAF) rules to block unauthenticated requests targeting the plugin.
  • Monitor logs for suspicious activity related to PHP object injection attempts.
  • Keep an eye on official plugin updates and security advisories for a patch or fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12378. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart