CVE-2026-27095
Published: 25 March 2026
Summary
CVE-2026-27095 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-27095 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the WordPress plugin Bus Ticket Booking with Seat Reservation by magepeopleteam, with the component identifier bus-ticket-booking-with-seat-reservation. The issue enables Object Injection and affects all versions from n/a through 5.6.0. Published on 2026-03-25, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation involves injecting malicious serialized objects, potentially leading to high-impact compromise of confidentiality, integrity, and availability on affected WordPress sites running the vulnerable plugin version.
The Patchstack advisory provides further details on this PHP Object Injection vulnerability, accessible at https://patchstack.com/database/Wordpress/Plugin/bus-ticket-booking-with-seat-reservation/vulnerability/wordpress-bus-ticket-booking-with-seat-reservation-plugin-5-6-2-php-object-injection-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15801
Vulnerability details
Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Object Injection.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.6.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated deserialization/object injection flaw in public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application) with no other techniques explicitly supported by the given description.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely patching of the vulnerable Bus Ticket Booking with Seat Reservation plugin up to version 5.6.0 directly remediates the deserialization of untrusted data flaw.
Validating untrusted serialized data inputs before deserialization blocks malicious object injection in the WordPress plugin.
Vulnerability scanning detects the known PHP object injection vulnerability (CVE-2026-27095) in the affected plugin versions.