You are currently viewing Website Security: PHP Object Injection Threat in Booking Calendar Plugin

Website Security: PHP Object Injection Threat in Booking Calendar Plugin

A recent vulnerability in the Booking Calendar plugin comprises the website security of those who use it on their WordPress websites. The Booking Calendar plugin is used by 60,000 users and enables booking features to be used on any website. One such feature, the flexible timeline, shows existing bookings using the shortcode[bookingflextimeline].

The timeline feature allows the user to set viewing options when accessing the published timeline. These options were set using PHP’s serialized data format and were unserialized using a function in the PHP file wpbc-class-timeline_v2.php. Attackers can gain access to this serialized data using a variety of different methods. If an attacker gains access to unserialized data, a PHP object can be injected containing custom properties. This can permit an attacker to run malicious code or gain access to the website, jeopardizing your website security.

To combat these vulnerabilities, Wordfence has issued firewall rules. Sites with the paid version of Wordfence received the fix on April 18th 2022, those with the unpaid version received it on May 18th 2022.   It is recommended that those who used Booking Calendar and are Wordfence users to update their version to 9.1.1.

If you are concerned about your website security, Web Works offers a comprehensive security program that will protect you from any threats on the internet. Call us at 216.307.5600 or send us an email if you need help with web security.

Source: Wordfence