CVE-2026-12378
BookingPress <= 1.1.28 - Unauthenticated PHP Object Injection
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.
| Vendor | unknown |
| Product | appointment booking calendar plugin and scheduling plugin |
| Published | Jul 8, 2026 |
| Last Updated | Jul 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown appointment booking calendar plugin and scheduling plugin
Be the first to know when new high vulnerabilities affecting unknown appointment booking calendar plugin and scheduling plugin are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / Appointment Booking Calendar Plugin and Scheduling Plugin
0 โค 1.1.28
References
Credits
Sanjar Tulkinov WPScan