CVE-2026-12378
WordPress · Appointment Booking Calendar Plugin and Scheduling Plugin
The Appointment Booking Calendar Plugin for WordPress is vulnerable to insecure deserialization of untrusted data, potentially leading to remote code execution.
Executive summary
An insecure deserialization vulnerability in the Appointment Booking Calendar Plugin for WordPress could allow an unauthenticated attacker to achieve remote code execution.
Vulnerability
The plugin is susceptible to insecure deserialization (CWE-502), which occurs when untrusted data is processed without adequate validation. This flaw can be triggered by an attacker without requiring authentication.
Business impact
This vulnerability carries a CVSS score of 8.1, indicating a high risk of total system compromise. Successful exploitation could grant an attacker full control over the web server, leading to sensitive data exfiltration, malware installation, and complete loss of system availability.
Remediation
Immediate Action: Update the plugin to the latest version immediately to resolve the deserialization flaw.
Proactive Monitoring: Monitor server logs for unexpected execution of system commands or spikes in traffic to booking-related endpoints.
Compensating Controls: Use a WAF to inspect incoming traffic for serialized objects or malicious payloads frequently associated with deserialization attacks.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the potential for remote code execution, this vulnerability should be treated with extreme urgency. Organizations using this plugin must verify their current version and apply the patch as soon as possible to prevent potential compromise.