Booktics
Monthly
Unauthenticated PHP Object Injection in the Booktics WordPress plugin (by Arraytics) affects all versions up to and including 1.0.21, letting remote attackers with no authentication inject arbitrary PHP objects into the application. If a suitable POP (property-oriented programming) gadget chain exists in the plugin, WordPress core, or another active plugin, this can escalate to remote code execution, data theft, or full site takeover. Reported by Patchstack and rated CVSS 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Missing authorization in Arraytics Booktics WordPress plugin through version 1.0.16 allows unauthenticated remote attackers to modify application data via incorrectly configured access control security levels. The vulnerability has a low EPSS score (0.02%, percentile 4) despite the network-accessible attack vector, suggesting limited real-world exploitation likelihood. No public exploit code or active CISA KEV status has been identified.
Unauthenticated PHP Object Injection in the Booktics WordPress plugin (by Arraytics) affects all versions up to and including 1.0.21, letting remote attackers with no authentication inject arbitrary PHP objects into the application. If a suitable POP (property-oriented programming) gadget chain exists in the plugin, WordPress core, or another active plugin, this can escalate to remote code execution, data theft, or full site takeover. Reported by Patchstack and rated CVSS 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Missing authorization in Arraytics Booktics WordPress plugin through version 1.0.16 allows unauthenticated remote attackers to modify application data via incorrectly configured access control security levels. The vulnerability has a low EPSS score (0.02%, percentile 4) despite the network-accessible attack vector, suggesting limited real-world exploitation likelihood. No public exploit code or active CISA KEV status has been identified.