Unauthenticated PHP Object Injection in Alloggio Hotel Booking Plugin by Patchstack
CVE-2026-39539

8.1HIGH

Key Information:

Vendor: WordPress
Status: Alloggio - Hotel Booking
Vendor: CVE Published:; 16 June 2026

What is CVE-2026-39539?

The Alloggio - Hotel Booking plugin for WordPress versions up to 2.1.2 is susceptible to unauthenticated PHP Object Injection, which allows attackers to exploit the vulnerability remotely. By sending specially crafted requests, attackers can manipulate PHP objects within the application, potentially leading to a compromise of the site or execution of arbitrary code. Proper security measures should be implemented to ensure that the plugin is updated and the application securely handles object injection.

Affected Version(s)

Alloggio - Hotel Booking <= 2.1.2

References

https://patchstack.com/database/wordpress/theme/alloggio/...

vdb-entry

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Denver Jackson | Patchstack Bug Bounty Program

CVE-2026-39539 Data

JSON