CVE-2026-12378
EUVD-2026-4217808.07.2026, 07:16
The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.Enginsight
Awaiting analysis
This vulnerability is currently awaiting analysis.