CVE-2022-1463: 
WordPress vulnerability analysis and mitigation

The Booking Calendar plugin for WordPress contains a PHP Object Injection vulnerability (CVE-2022-1463) discovered in versions up to and including 9.1. The vulnerability exists via the [bookingflextimeline] shortcode and could be exploited by subscriber-level users and above to call arbitrary PHP objects on vulnerable sites (NVD, WPScan).

The vulnerability stems from the plugin's unsafe deserialization of user data without proper validation. When a timeline is published, the vulnerability could be exploited by unauthenticated attackers; otherwise, any authenticated user could perform the attack. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high potential impact on confidentiality, integrity, and availability (NVD).

If successfully exploited, this vulnerability could allow attackers to perform PHP object injection attacks. A successful attack would require a suitable POP chain, potentially from another plugin, which could lead to arbitrary code execution on the affected system (WPScan).

The vulnerability has been fixed in version 9.1.1 of the Booking Calendar plugin. Site administrators are strongly advised to update to this version or later to protect against potential attacks (WPScan).