{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69328", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:18.800Z", "datePublished": "2026-02-20T15:46:49.714Z", "dateUpdated": "2026-04-28T20:52:57.341Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "booking-and-rental-manager-for-woocommerce", "product": "Booking and Rental Manager", "vendor": "magepeopleteam", "versions": [{"changes": [{"at": "2.6.0", "status": "unaffected"}], "lessThanOrEqual": "2.5.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:42.791Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.<p>This issue affects Booking and Rental Manager: from n/a through <= 2.5.9.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.5.9."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:37.635Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-5-9-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Booking and Rental Manager plugin <= 2.5.9 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:46:33.103538Z", "id": "CVE-2025-69328", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:52:57.341Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69328", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T18:46:33.103538Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:46:47.479Z"}}], "cna": {"title": "WordPress Booking and Rental Manager plugin <= 2.5.9 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "magepeopleteam", "product": "Booking and Rental Manager", "versions": [{"status": "affected", "changes": [{"at": "2.6.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.5.9"}], "packageName": "booking-and-rental-manager-for-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:42.791Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-5-9-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.5.9.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.<p>This issue affects Booking and Rental Manager: from n/a through <= 2.5.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:16.727Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69328", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:16.727Z", "dateReserved": "2025-12-31T20:12:18.800Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:49.714Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.5.9."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce permite la inyecci\u00f3n de objetos. Este problema afecta a Booking and Rental Manager: desde n/a hasta &lt;= 2.5.9."}], "id": "CVE-2025-69328", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:20.047", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-5-9-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.9]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.6.0,*]"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "Booking and Rental Manager", "source": "cna", "vendor": "magepeopleteam"}, "product": "booking_&_rental_manager", "vendor": "magepeople"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:31:19.111187+00:00", "value": {"mitigation_remediation": ["Upgrade the Booking and Rental Manager plugin to the latest released version that patches the deserialization flaw.", "If an upgrade cannot be performed immediately, restrict or disable any site\u2011side endpoints that accept serialized inputs, or configure a web\u2011application firewall to block unexpected PHP\u2011serialized strings in incoming requests.", "Consider removing or disabling the plugin until a secure version is available, especially if the booking functionality is not critical to business operations."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the magepeopleteam Booking and Rental Manager plugin for WordPress, any installation of the plugin from the start of its releases through version\u202f2.5.9. All WordPress sites that have this plugin installed and are running a vulnerable version are potentially exposed.", "description_and_impact": "WordPress Booking and Rental Manager plugin has a Deserialization of Untrusted Data vulnerability. The plugin accepts serialized PHP data from user-controllable sources and passes it to PHP\u2019s unserialize function, enabling an attacker to inject malicious objects. If successful, the injected objects can trigger arbitrary code execution within the WordPress environment, compromising server integrity and confidentiality. The flaw is a classic PHP Object Injection, classified under CWE\u2011502.", "risk_and_exploitability": "The CVSS score of 8.8 reflects high severity, and the EPSS score below 1\u202f% indicates a low probability of widespread exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an attacker to supply a crafted serialized payload to a plugin endpoint that processes such data, which is likely achievable via remote HTTP requests or manipulated cookies, making the attack vector remote. Once injected, the object can invoke PHP magic methods and execute arbitrary commands."}}}}, "created": "2026-02-23T14:37:29.862070+00:00", "updated": "2026-04-27T20:45:12.701512+00:00", "vendors": ["magepeople", "magepeople$PRODUCT$booking_&_rental_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}