Cyber Posture

CVE-2025-64266

High

Published: 18 December 2025

Published
18 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.5.4.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the deserialization vulnerability by requiring timely remediation through patching the affected Booking and Rental Manager plugin versions up to 2.5.4.

SI-10 Information Input Validation good match
prevent

Prevents object injection by enforcing validation of untrusted input data before deserialization processing in the WordPress plugin.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Enables detection of the PHP object injection vulnerability through regular vulnerability scanning of WordPress plugins like Booking and Rental Manager.

Security SummaryAI

CVE-2025-64266 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the WordPress plugin Booking and Rental Manager for WooCommerce by magepeopleteam. The flaw allows Object Injection and affects the plugin from unknown initial versions through 2.5.4. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact.

Attackers with low privileges, such as authenticated users on a vulnerable WordPress site, can exploit this over the network with low complexity and no user interaction required. Successful exploitation enables high confidentiality, integrity, and availability impacts, typically through arbitrary object instantiation in PHP that could lead to code execution or other severe effects depending on the deserialized data.

The Patchstack advisory provides details on this PHP Object Injection vulnerability in version 2.5.4; security practitioners should consult https://patchstack.com/database/Wordpress/Plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-5-4-php-object-injection-vulnerability?_s_id=cve for mitigation guidance, such as applying available patches or updates.

Details

CWE(s)
CWE-502

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Deserialization of untrusted data (PHP Object Injection) in a public-facing WordPress plugin enables low-privileged attackers to achieve remote code execution, directly facilitating exploitation of public-facing applications and privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References