CVE-2025-26921
Published: 15 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-26921 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the WordPress plugin Booking and Rental Manager for WooCommerce by magepeopleteam, which enables Object Injection. The issue affects all versions of the plugin up to and including 2.2.6.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited over the network with low complexity by an authenticated attacker possessing low privileges. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or other severe consequences depending on the deserialized objects.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-2-6-php-object-injection-vulnerability?_s_id=cve provides further details on the vulnerability. Security practitioners should consult this reference for mitigation guidance, such as updating to a patched version if available or applying workarounds.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The PHP object injection vulnerability allows an authenticated low-privilege attacker to achieve arbitrary code execution with high impact on C/I/A, directly mapping to exploitation for privilege escalation in a public-facing WordPress plugin.