Booking and Rental Manager CVE-2025-26921
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager allows Object Injection. This issue affects Booking and Rental Manager: from n/a through 2.2.6.
AnalysisAI
PHP object injection in Booking and Rental Manager for WooCommerce (WordPress plugin) versions up to 2.2.6 allows authenticated attackers with low privileges to execute arbitrary PHP code or manipulate application logic through deserialization of untrusted data. The CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though the low EPSS score (0.23%, 45th percentile) indicates minimal observed exploitation attempts. Patchstack discovered and reported this vulnerability, suggesting patch availability through their advisory.
Technical ContextAI
This vulnerability stems from unsafe deserialization practices (CWE-502) in the Booking and Rental Manager WordPress plugin, a WooCommerce extension for managing rental and booking operations. PHP object injection occurs when an application deserializes user-controlled data without proper validation, allowing attackers to instantiate arbitrary PHP objects. If the application or its dependencies contain classes with exploitable 'magic methods' (__wakeup, __destruct, __toString), attackers can trigger unintended code execution, file manipulation, SQL injection, or authentication bypass. The WordPress plugin ecosystem is particularly vulnerable to deserialization flaws because of the extensive use of serialized data in options, transients, and AJAX handlers, combined with the availability of gadget chains in common plugins and themes.
Affected ProductsAI
The vulnerability affects Booking and Rental Manager for WooCommerce, a WordPress plugin developed by magepeopleteam, versions 2.2.6 and earlier. The version range spans from an unspecified initial release through version 2.2.6. This is specifically the WordPress plugin variant that integrates with WooCommerce for managing product rentals and booking services. Affected users can verify their installation by checking the plugin version in the WordPress admin dashboard under Plugins. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-2-6-php-object-injection-vulnerability provides additional identification details.
RemediationAI
Update Booking and Rental Manager for WooCommerce to the latest version available from the WordPress plugin repository or the vendor's official distribution channel, as Patchstack's involvement typically precedes coordinated patch releases. Check the plugin's changelog and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-2-6-php-object-injection-vulnerability for the specific patched version number. If immediate patching is not feasible, implement compensating controls: restrict new user registrations to prevent unauthorized account creation, audit existing low-privilege accounts (subscriber, customer roles) and remove unnecessary ones, implement web application firewall rules to inspect and block serialized PHP object patterns in POST data and cookies (search for patterns like 'O:' followed by digit sequences), and enable WordPress security logging to detect suspicious authenticated activity. Note that WAF-based deserialization blocking may cause false positives with legitimate WooCommerce operations, requiring careful tuning. As a last resort, temporarily disable the plugin if rental/booking functionality is not business-critical, though this will break dependent site features.
Share
External POC / Exploit Code
Leaving vuln.today