PHP Deserialization Vulnerability in Appointment Booking Calendar Plugin for WordPress
CVE-2026-12378
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 8 July 2026
Badges
What is CVE-2026-12378?
The Appointment Booking Calendar Plugin for WordPress, up to version 1.1.28, fails to validate user input before it is processed by a PHP deserialization function. This flaw exposes the plugin to attacks from unauthenticated users, who could exploit the vulnerability to inject arbitrary PHP objects. If an appropriate gadget chain is present on the affected site, this vulnerability has the potential to lead to remote code execution, making it essential for users to secure their installations.
Affected Version(s)
Appointment Booking Calendar Plugin and Scheduling Plugin 0 <= 1.1.28
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.