Home

Description

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.

PUBLISHED Reserved 2026-06-16 | Published 2026-07-08 | Updated 2026-07-08 | Assigner WPScan

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status
unknown

Any version
affected

Credits

Sanjar Tulkinov finder

WPScan coordinator

References

wpscan.com/...rability/eb3abb88-43c3-42a8-a8a8-2ad67d37e020/ exploit vdb-entry technical-description

cve.org (CVE-2026-12378)

nvd.nist.gov (CVE-2026-12378)

Download JSON