CVE-2026-57621

Arraytics · Booktics

An unauthenticated PHP object injection vulnerability in the Booktics plugin allows remote attackers to execute arbitrary code on affected systems.

Executive summary

A critical PHP object injection flaw in the Booktics plugin permits unauthenticated attackers to achieve remote code execution, threatening the integrity of the host application.

Vulnerability

The vulnerability is an unauthenticated PHP object injection flaw that occurs within the plugin's data handling processes. By supplying malicious serialized objects, an unauthenticated attacker can manipulate application logic to execute unauthorized code.

Business impact

With a CVSS score of 9.8, this vulnerability represents a critical threat to the confidentiality, integrity, and availability of the affected WordPress site. An exploit could allow attackers to gain administrative control over the application, leading to total system compromise and the theft of scheduling or user data.

Remediation

Immediate Action: Upgrade the Booktics plugin to the most recent version provided by Arraytics to eliminate the vulnerable code path.

Proactive Monitoring: Monitor server logs for abnormal activity, particularly requests that contain serialized PHP objects, which may indicate exploitation attempts.

Compensating Controls: Utilize a WAF to filter and block malicious input patterns often associated with PHP object injection attacks.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability demands immediate attention due to the ease of access for attackers and the severity of the potential impact. Administrators should apply the vendor-supplied update immediately and audit their environments for any signs of prior unauthorized access.