PT-2025-42674 · WordPress · Gappointments

Published

2025-10-18

Updated

2025-10-18

CVE-2017-20206

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Appointments plugin for WordPress versions up to and including 2.2.1

Description The Appointments plugin for WordPress is susceptible to PHP Object Injection through the deserialization of untrusted input received from the wpmudev appointments cookie. This allows unauthenticated attackers to inject a PHP Object. Reports indicate active exploitation of this issue, with attackers utilizing the WP Theme() class to establish backdoors.

Recommendations Update the Appointments plugin to a version newer than 2.2.1.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2017-20206

Affected Products

Gappointments

PT-2025-42674 · WordPress · Gappointments

CVE-2017-20206

Weakness Enumeration

Related Identifiers

Affected Products

References · 7