Description
Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.2.6.
Published: 2025-03-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of Untrusted Data in the Booking and Rental Manager plugin for WooCommerce permits PHP Object Injection. The vulnerability allows an attacker to manipulate the serialized data stream accepted by the plugin to instantiate malicious objects that can execute arbitrary code on the web server. This flaw is identified as CWE‑502 and can compromise confidentiality, integrity, and availability of the WordPress site.

Affected Systems

Magepeopleteam’s Booking and Rental Manager plugin for WooCommerce, versions up to and including 2.2.6, is affected. Any WordPress installation that has this plugin enabled with a vulnerable version is at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity level. The EPSS score of less than 1% suggests that, as of the latest assessment, exploitation is uncommon, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector is likely through user‑controlled input that contains serialized data, such as form submissions or URL parameters, allowing remote code execution if the attacker can deliver crafted payloads to the plugin’s endpoints.

Generated by OpenCVE AI on May 1, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Booking and Rental Manager plugin to a version newer than 2.2.6 where the deserialization issue has been fixed.
  • If an immediate upgrade is not possible, disable or remove the plugin, or block access to any endpoints that accept serialized data until the issue is resolved.
  • Modify the plugin or the surrounding application to validate and sanitize all serialized input, or replace PHP’s unserialize with safe deserialization techniques or stricter class whitelisting.

Generated by OpenCVE AI on May 1, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7718 Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager allows Object Injection. This issue affects Booking and Rental Manager: from n/a through 2.2.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager allows Object Injection. This issue affects Booking and Rental Manager: from n/a through 2.2.6. Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.2.6.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00074}

 epss

{'score': 0.00102}

Tue, 18 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 22:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager allows Object Injection. This issue affects Booking and Rental Manager: from n/a through 2.2.6.
Title WordPress Booking and Rental Manager Plugin <= 2.2.6 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:43.902Z

Reserved: 2025-02-17T11:51:01.644Z

Link: CVE-2025-26921

cve-icon Vulnrichment

Updated: 2025-03-17T15:01:46.582Z

cve-icon NVD

Status : Deferred

Published: 2025-03-15T22:15:14.517

Modified: 2026-04-23T15:26:04.433

Link: CVE-2025-26921

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:00:15Z

Weaknesses