Cyber Posture

CVE-2025-26921

HighRCE

Published: 15 March 2025

Published
15 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26921 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and remediation of flaws like this deserialization vulnerability through plugin patching.

SI-10 Information Input Validation good match
prevent

Mandates validation of all inputs including untrusted serialized data to block object injection during deserialization.

CM-10 Software Usage Restrictions partial match
prevent

Restricts usage to authorized software, preventing deployment or execution of vulnerable plugin versions affected by this CVE.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The PHP object injection vulnerability allows an authenticated low-privilege attacker to achieve arbitrary code execution with high impact on C/I/A, directly mapping to exploitation for privilege escalation in a public-facing WordPress plugin.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.2.6.

Deeper analysisAI

CVE-2025-26921 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the WordPress plugin Booking and Rental Manager for WooCommerce by magepeopleteam, which enables Object Injection. The issue affects all versions of the plugin up to and including 2.2.6.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited over the network with low complexity by an authenticated attacker possessing low privileges. Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution or other severe consequences depending on the deserialized objects.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-2-6-php-object-injection-vulnerability?_s_id=cve provides further details on the vulnerability. Security practitioners should consult this reference for mitigation guidance, such as updating to a patched version if available or applying workarounds.

Details

CWE(s)
CWE-502

CVEs Like This One

CVE-2026-32192Shared CWE-502
CVE-2025-23303Shared CWE-502
CVE-2026-27749Shared CWE-502
CVE-2025-66214Shared CWE-502
CVE-2026-25166Shared CWE-502
CVE-2026-37552Shared CWE-502
CVE-2026-24157Shared CWE-502
CVE-2026-32184Shared CWE-502
CVE-2026-4416Shared CWE-502
CVE-2025-24794Shared CWE-502

References