PHP Object Injection in WordPress Appointments Plugin

Successful exploitation allows an unauthenticated remote attacker to inject PHP objects into the vulnerable application context. Based on the provided content, attackers were observed leveraging this to create backdoors, implying compromise of site integrity and the ability to establish persistent unauthorized access. The associated CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates potential for complete compromise of confidentiality, integrity, and availability on affected systems.

If immediate patching is not possible, reduce exposure by disabling the Appointments plugin until it can be updated. Treat any site running a vulnerable version as potentially compromised if it was internet-accessible. Review for suspicious files, unexpected theme or plugin modifications, and anomalous administrator activity. Monitor logs and file integrity for evidence of exploitation involving the wpmudev_appointments cookie or subsequent persistence mechanisms. These are temporary risk-reduction measures and do not replace applying the vendor fix.

Update the Appointments plugin to a version that fixes the insecure deserialization issue; the vulnerable range is up to and including 2.2.1, so affected installations should move to a patched release or the latest available version immediately. Because the content states the vulnerability was actively exploited to create backdoors, remediation should also include incident response actions on potentially exposed sites: inspect the WordPress installation for unauthorized files or code, remove any discovered backdoors or malicious modifications, and review relevant logs for signs of unauthorized access or exploitation activity.