Description
Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.5.4.
Published: 2025-12-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Booking and Rental Manager plugin performs deserialization of untrusted data without proper validation, creating a PHP Object Injection flaw (CWE-502). An attacker who can supply a crafted serialized payload may instantiate malicious objects, potentially leading to arbitrary code execution within the WordPress environment.

Affected Systems

All WordPress sites using the Booking and Rental Manager plugin from its earliest release through version 2.5.4 are affected. Systems running any <= 2.5.4 variant of this plugin are vulnerable, as the flaw is present in every historic version listed.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog, but the potential impact remains severe. Attackers could exploit the plugin by crafting requests that trigger the unsafe deserialization routine, thus executing arbitrary code or commands via the plugin’s API or front‑end interfaces.

Generated by OpenCVE AI on April 29, 2026 at 12:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Booking and Rental Manager plugin to the latest revision that removes the deserialization flaw.
  • If an update cannot be applied immediately, temporarily disable or uninstall the plugin until a patched version is released.
  • Configure a web application firewall or security plugin to block or sanitize incoming requests that contain serialized PHP data for the Booking and Rental Manager endpoints.

Generated by OpenCVE AI on April 29, 2026 at 12:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Magepeople
Magepeople booking & Rental Manager
Wordpress
Wordpress wordpress
Vendors & Products Magepeople
Magepeople booking & Rental Manager
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.5.4.
Title WordPress Booking and Rental Manager plugin <= 2.5.4 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Magepeople Booking & Rental Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:28:35.463Z

Reserved: 2025-10-29T03:08:22.608Z

Link: CVE-2025-64266

cve-icon Vulnrichment

Updated: 2025-12-18T19:28:12.204Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:13.180

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:15:09Z

Weaknesses