Description
Deserialization of Untrusted Data vulnerability in TuriTop TuriTop Booking System turitop-booking-system allows Object Injection.This issue affects TuriTop Booking System: from n/a through <= 1.0.10.
Published: 2025-04-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the TuriTop Booking System plugin for WordPress. Deserialization of untrusted data allows an attacker to inject arbitrary PHP objects, which can lead to remote code execution or other severe impacts. This flaw is defined by CWE‑502 and is scored 8.8 on the CVSS scale, indicating a high likelihood of exploitation if bypassed.

Affected Systems

Affected products are the TuriTop Booking System plugin from the vendor TuriTop, specifically any release up to and including version 1.0.10. The plugin is commonly deployed in WordPress sites as a booking system solution.

Risk and Exploitability

The CVSS score of 8.8 marks this as a high‑severity vulnerability, but the EPSS score of less than 1 % suggests low probability of widespread exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit this flaw by crafting a malicious payload that triggers the PHP deserialization routine, possibly via a crafted form submission or crafted URL. Because the flaw arises from deserialization of untrusted data, any input that is passed to PHP’s serializer without validation could be abused. Appropriate verification of the data source or deletion of the capability would effectively mitigate the risk.

Generated by OpenCVE AI on April 30, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TuriTop Booking System plugin to a version newer than 1.0.10.
  • If an upgrade is not possible, immediately disable or remove the plugin to stop further deserialization of untrusted data.
  • Implement stricter input validation or use PHP’s built‑in safe serialization functions in any custom code to prevent object injection.

Generated by OpenCVE AI on April 30, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11686 Deserialization of Untrusted Data vulnerability in turitop TuriTop Booking System allows Object Injection. This issue affects TuriTop Booking System: from n/a through 1.0.10.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in turitop TuriTop Booking System allows Object Injection. This issue affects TuriTop Booking System: from n/a through 1.0.10. Deserialization of Untrusted Data vulnerability in TuriTop TuriTop Booking System turitop-booking-system allows Object Injection.This issue affects TuriTop Booking System: from n/a through <= 1.0.10.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in turitop TuriTop Booking System allows Object Injection. This issue affects TuriTop Booking System: from n/a through 1.0.10.
Title WordPress TuriTop Booking System Plugin <= 1.0.10 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:24.313Z

Reserved: 2025-04-09T11:20:09.347Z

Link: CVE-2025-32571

cve-icon Vulnrichment

Updated: 2025-04-17T17:41:10.884Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:44.317

Modified: 2026-04-23T15:29:07.893

Link: CVE-2025-32571

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:00:08Z

Weaknesses