The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.
References
Configurations
No configuration.
History
08 Jul 2026, 11:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
08 Jul 2026, 07:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-08 07:16
Updated : 2026-07-08 14:56
NVD link : CVE-2026-12378
Mitre link : CVE-2026-12378
CVE.ORG link : CVE-2026-12378
JSON object : View
Products Affected
No product.
CWE
No CWE.
