WordPress Plugin Vulnerabilities

Booking Calendar < 9.1.1 - PHP Object Injection

Description

The plugin unserializes user data without being validated first, which could allow attackers to perform PHP object injection attack. If a timeline is published, unauthenticated attackers could perform such attack, otherwise any authenticated could. A suitable POP chain, from another plugin for example, would also be needed for a successful attack

Affects Plugins

Plugin icon
booking
Fixed in 9.1.1

References

CVE
CVE-2022-1463
URL
https://www.wordfence.com/blog/2022/04/php-object-injection-in-booking-calendar-plugin/

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Ramuel Gall
Verified
Yes
WPVDB ID
cf4ebcab-67d5-4f84-b67c-1be65c23e4df

Timeline

Publicly Published
2022-04-27 (about 3 years ago)
Added
2022-04-27 (about 3 years ago)
Last Updated
2022-04-28 (about 3 years ago)

Other

Published
Title
Published
2026-02-23
Title
Tennis SportClub - Tennis Sports Events WordPress Theme <= 1.2.3 - Unauthenticated PHP Object Injection
Published
2023-12-05
Title
Sayfa Sayaç <= 2.6 - Unauthenticated PHP Object Injection
Published
2024-01-31
Title
ERE Recently Viewed < 2.0 - Unauthenticated PHP Object Injection
Published
2025-01-03
Title
ARPrice < 4.2 - Unauthenticated PHP Object Injection
Published
2024-01-05
Title
Gecka Terms Thumbnails <= 1.1 - Authenticated (Subscriber+) PHP Object Injection