Skip to main content

Booktics

2 CVEs product

Monthly

CVE-2026-57621 CRITICAL Act Now

Unauthenticated PHP Object Injection in the Booktics WordPress plugin (by Arraytics) affects all versions up to and including 1.0.21, letting remote attackers with no authentication inject arbitrary PHP objects into the application. If a suitable POP (property-oriented programming) gadget chain exists in the plugin, WordPress core, or another active plugin, this can escalate to remote code execution, data theft, or full site takeover. Reported by Patchstack and rated CVSS 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization PHP Booktics
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-39585 MEDIUM This Month

Missing authorization in Arraytics Booktics WordPress plugin through version 1.0.16 allows unauthenticated remote attackers to modify application data via incorrectly configured access control security levels. The vulnerability has a low EPSS score (0.02%, percentile 4) despite the network-accessible attack vector, suggesting limited real-world exploitation likelihood. No public exploit code or active CISA KEV status has been identified.

Authentication Bypass Booktics
NVD
CVSS 3.1
5.3
EPSS
0.0%
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the Booktics WordPress plugin (by Arraytics) affects all versions up to and including 1.0.21, letting remote attackers with no authentication inject arbitrary PHP objects into the application. If a suitable POP (property-oriented programming) gadget chain exists in the plugin, WordPress core, or another active plugin, this can escalate to remote code execution, data theft, or full site takeover. Reported by Patchstack and rated CVSS 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization PHP Booktics
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in Arraytics Booktics WordPress plugin through version 1.0.16 allows unauthenticated remote attackers to modify application data via incorrectly configured access control security levels. The vulnerability has a low EPSS score (0.02%, percentile 4) despite the network-accessible attack vector, suggesting limited real-world exploitation likelihood. No public exploit code or active CISA KEV status has been identified.

Authentication Bypass Booktics
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy