Back to KEVs

CVE-2017-20206

Appointments <= 2.2.1 - Unauthenticated PHP Object Injection

Basic Information

CVE State
PUBLISHED
Reserved Date
October 17, 2025
Published Date
October 18, 2025
Last Updated
October 20, 2025
Vendor
wpmudev
Product
Appointments
Description
The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
none
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 10:42:26 UTC) Source

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/7e8f230e-3f96-4efd-806d-72725b960303?source=cve https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/ https://plugins.trac.wordpress.org/changeset/1733186/appointments

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:42:26 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel