WordPress Plugin Vulnerabilities

BookingPress <= 1.5.5 - Unauthenticated PHP Object Injection

Description

The plugin does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.

Proof of Concept

Affects Plugins

References

Classification

Type
OBJECT INJECTION
CWE
CVSS

Miscellaneous

Original Researcher
Sanjar Tulkinov
Submitter
Sanjar Tulkinov
Verified
Yes

Timeline

Publicly Published
2026-06-17 (about 22 days ago)
Added
2026-06-17 (about 21 days ago)
Last Updated
2026-07-08 (about 10 hours ago)

Other