CVE-2026-12378 PUBLISHED

BookingPress <= 1.1.28 - Unauthenticated PHP Object Injection

Assigner: WPScan
Reserved: 16.06.2026 Published: 08.07.2026 Updated: 08.07.2026

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.

Product Status

Vendor Unknown
Product Appointment Booking Calendar Plugin and Scheduling Plugin
Versions Default: unknown
  • affected from 0 to 1.1.28 (incl.)

Credits

  • Sanjar Tulkinov finder
  • WPScan coordinator

References

Problem Types

  • CWE-502 Deserialization of Untrusted Data CWE