Description
Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.5.9.
Published: 2026-02-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

WordPress Booking and Rental Manager plugin has a Deserialization of Untrusted Data vulnerability. The plugin accepts serialized PHP data from user-controllable sources and passes it to PHP’s unserialize function, enabling an attacker to inject malicious objects. If successful, the injected objects can trigger arbitrary code execution within the WordPress environment, compromising server integrity and confidentiality. The flaw is a classic PHP Object Injection, classified under CWE‑502.

Affected Systems

The flaw affects the magepeopleteam Booking and Rental Manager plugin for WordPress, any installation of the plugin from the start of its releases through version 2.5.9. All WordPress sites that have this plugin installed and are running a vulnerable version are potentially exposed.

Risk and Exploitability

The CVSS score of 8.8 reflects high severity, and the EPSS score below 1 % indicates a low probability of widespread exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to supply a crafted serialized payload to a plugin endpoint that processes such data, which is likely achievable via remote HTTP requests or manipulated cookies, making the attack vector remote. Once injected, the object can invoke PHP magic methods and execute arbitrary commands.

Generated by OpenCVE AI on April 27, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Booking and Rental Manager plugin to the latest released version that patches the deserialization flaw.
  • If an upgrade cannot be performed immediately, restrict or disable any site‑side endpoints that accept serialized inputs, or configure a web‑application firewall to block unexpected PHP‑serialized strings in incoming requests.
  • Consider removing or disabling the plugin until a secure version is available, especially if the booking functionality is not critical to business operations.

Generated by OpenCVE AI on April 27, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Magepeople
Magepeople booking & Rental Manager
Wordpress
Wordpress wordpress
Vendors & Products Magepeople
Magepeople booking & Rental Manager
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.5.9.
Title WordPress Booking and Rental Manager plugin <= 2.5.9 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Magepeople Booking & Rental Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:52:57.341Z

Reserved: 2025-12-31T20:12:18.800Z

Link: CVE-2025-69328

cve-icon Vulnrichment

Updated: 2026-02-24T18:46:47.479Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:20.047

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:45:12Z

Weaknesses