๐Ÿ” CVE Alert

CVE-2026-12378

HIGH 8.1

BookingPress <= 1.1.28 - Unauthenticated PHP Object Injection

CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.

Vendor unknown
Product appointment booking calendar plugin and scheduling plugin
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for unknown appointment booking calendar plugin and scheduling plugin

Be the first to know when new high vulnerabilities affecting unknown appointment booking calendar plugin and scheduling plugin are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Appointment Booking Calendar Plugin and Scheduling Plugin
0 โ‰ค 1.1.28

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/eb3abb88-43c3-42a8-a8a8-2ad67d37e020/

Credits

Sanjar Tulkinov WPScan