CVE-2026-57621: WordPress Booktics plugin <= 1.0.21 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Booktics <= 1.0.21 versions.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
PHP Object Injection is an unauthenticated vulnerability in the Booktics WordPress plugin (versions 1.0.21 and earlier), reachable over the network without any credentials. An attacker sends a crafted serialized PHP payload to a vulnerable endpoint, which the plugin deserializes without validation. Successful exploitation gives the attacker full read, write, and availability impact on the affected WordPress installation, including potential remote code execution depending on available PHP classes. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-57621 is available across every HarborGuard environment - the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the Booktics plugin. Any image carrying Booktics 1.0.21 or earlier is flagged automatically.
AvailableHarborGuard is capable of scoring this CVE at CVSS 9.8 (Critical) and weighting it against each customer environment's compliance policy to prioritize routing. Triage alerts are directed to the appropriate team inbox within each customer organization based on their configured ownership rules.
AvailableBecause no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the Arraytics team ships a remediated release. Until then, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images containing the affected plugin version.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from the internet without any prior foothold on the host.
- AuthenticationNot required
No credentials of any kind are needed; the injection can be triggered by an anonymous, unauthenticated HTTP request.
- Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user of the WordPress site.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout, or any other variable environmental factor.
Blast Radius
- The attacker can read all data accessible to the WordPress process, including database credentials, session tokens, and stored user records.
- The attacker can write or modify files and database content, enabling defacement, backdoor implantation, or privilege escalation within the application.
- The attacker can crash or otherwise deny availability of the WordPress service to legitimate users.
- Depending on PHP classes available in the application (known as a POP chain), the object injection is capable of achieving full remote code execution on the underlying host.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists yet, HarborGuard continuously re-checks the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically as soon as Arraytics publishes a remediated version of Booktics. In the interim, customers are encouraged to use HarborGuard's policy controls to block promotion of any image containing Booktics 1.0.21 or earlier to production registries. Additional compensating controls worth considering include network-policy isolation to restrict external access to the WordPress installation, egress filtering to limit outbound connections from the container, and disabling the Booktics plugin at the application level if booking functionality is not required. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be initiated automatically once the fix version is available, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes in environments where auto-remediation is active.
- Arraytics / Booktics≤ 1.0.21
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H