PHP Object Injection Vulnerability in Appointments Plugin for WordPress
CVE-2017-20206

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Appointments
Vendor: CVE Published:; 18 October 2025

What is CVE-2017-20206?

The Appointments plugin for WordPress is susceptible to PHP Object Injection due to improper deserialization of untrusted data from the wpmudev_appointments cookie in versions 2.2.1 and earlier. This misuse allows attackers to inject malicious PHP objects, potentially enabling them to create backdoors within the application. Attackers have been observed exploiting this vulnerability through the WP_Theme() class, reinforcing the necessity for swift patching and security measures to safeguard WordPress implementations.

Affected Version(s)

Appointments * < 2.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-...

https://plugins.trac.wordpress.org/changeset/1733186/appo...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 18, 2025
Vulnerability Reserved
Oct 17, 2025

Credit

Matt Barry

JSON