BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin, CVE-2026-12378
- CVE, Research URL
- Home page URL
- Published on
- Jul 08, 2026
- Research Description
- The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.
- Affected versions
-
max 1.5.5.
- Status
-
vulnerable
| Previous vulnerability researches |
|---|
| JSON API User (CVE-2026-9626) , Jul 04, 2026 |
| JSON API User (CVE-2024-6624) , Jul 12, 2024 |