High severity8.8NVD Advisory· Published May 10, 2022· Updated Jun 17, 2026
CVE-2022-1463
CVE-2022-1463
Description
The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. This could be exploited by subscriber-level users and above to call arbitrary PHP objects on a vulnerable site.
Affected products
2- Range: <=9.1
- wpdevelop/Booking Calendarv5Range: 9.1
Patches
Vulnerability mechanics
References
1- www.wordfence.com/blog/2022/04/php-object-injection-in-booking-calendar-plugin/nvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.