CVE-2026-57621
Deferred Deferred - Pending Action

Unauthenticated PHP Object Injection in Booktics

Vulnerability report for CVE-2026-57621, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Patchstack

Description

Unauthenticated PHP Object Injection in Booktics <= 1.0.21 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
patchstack booktics to 1.0.21 (inc)
patchstack booktics 1.0.22

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-57621 is a high-priority PHP Object Injection vulnerability found in the WordPress Booktics Plugin versions 1.0.21 and below.

This flaw allows unauthenticated attackers to inject malicious PHP objects into the application, potentially enabling code execution, SQL injection, path traversal, denial of service, and other harmful actions if a suitable Property-Oriented Programming (POP) chain exists.

Because the vulnerability does not require authentication, attackers can exploit it without prior access, making it a critical security risk.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution, which may lead to full system compromise.

Attackers could perform SQL injection to access or manipulate sensitive data, execute path traversal attacks to access restricted files, or cause denial of service, disrupting website availability.

Since the exploit is unauthenticated and expected to be targeted in mass-exploit campaigns, thousands of websites using vulnerable versions of the plugin are at significant risk.

Detection Guidance

The vulnerability is an unauthenticated PHP Object Injection in the WordPress Booktics Plugin versions 1.0.21 and below. Detection typically involves monitoring for exploit attempts targeting this plugin version.

Patchstack has issued a mitigation rule to block attacks until the plugin is updated, which implies that detection can be done by applying such rules in web application firewalls or intrusion detection systems.

Specific commands are not provided in the available resources. However, general detection methods include checking web server logs for suspicious requests targeting the Booktics plugin endpoints or scanning the installed plugin version.

Mitigation Strategies

The immediate and recommended step to mitigate this vulnerability is to update the WordPress Booktics Plugin to version 1.0.22 or later, where the vulnerability is patched.

If updating immediately is not possible, applying the mitigation rule issued by Patchstack to block attacks targeting this vulnerability is advised.

Additionally, users unable to update should seek assistance from their hosting provider or web developer to implement protective measures.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57621. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart