CVE-2022-1463

Published: May 10, 2022Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. This could be exploited by subscriber-level users and above to call arbitrary PHP objects on a vulnerable site.

Affected (1)

Products: Booking Calendar Project: Booking Calendar

Booking Calendar Project

1 product

Booking Calendar

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Booking Calendar Project Booking Calendar	Up to 9.1

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (2)

https://www.wordfence.com/blog/2022/04/php-object-injection-in-booking-calendar-plugin/

Source: security@wordfence.com

ExploitThird Party Advisory

https://www.wordfence.com/blog/2022/04/php-object-injection-in-booking-calendar-plugin/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.