CVE-2017-20206

Critical CVSS: 9.8

The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.

Vendor

Wpmudev

Product

Appointments

CWE

CWE-502

Yayın Tarihi

2025-10-18 04:15:43

Güncelleme

2025-12-23 17:06:57

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-502 Appointments CRITICAL Wpmudev 2025

Referanslar

https://plugins.trac.wordpress.org/changeset/1733186/appointments https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/ https://www.wordfence.com/threat-intel/vulnerabilities/id/7e8f230e-3f96-4efd-806d-72725b960303?source=cve

Benzer Kayıtlar

Medium

CVE-2025-5341

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cro…

Medium

CVE-2024-8492

The Hustle WordPress plugin through 7.8.5 does not sanitise and escape some of its settings, which could allow high pri…

Medium

CVE-2025-3479

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Repl…

Medium

CVE-2025-3487

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cro…

Medium

CVE-2025-0469

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cro…

Medium

CVE-2024-7052

The Forminator Forms WordPress plugin before 1.38.3 does not sanitise and escape some of its settings, which could allo…