CVE-2026-12378

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.
Configurations

No configuration.

History

08 Jul 2026, 11:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.1

08 Jul 2026, 07:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-08 07:16

Updated : 2026-07-08 14:56


NVD link : CVE-2026-12378

Mitre link : CVE-2026-12378

CVE.ORG link : CVE-2026-12378


JSON object : View

Products Affected

No product.

CWE

No CWE.