There has been a new PHP object injection vulnerability that was discovered in a well-known WordPress plugin (with around 60,000 installations at the time of this writing).
This particular vulnerability has a generally high CVSS (Common Vulnerability Scoring System) score of 8.1 (out of 10), and affects the Booking Calendar plugin by wpdevelop/oplugins.
The plugin allows a website owner to book appointments with potential clients (or existing clients) by utilizing the online booking system.
It also comes with the ability to publish a flexible timeline that also shows existing bookings and openings using the following shortcode: [bookingflextimeline].
As reported by Wordfence:
Be Sure to Patch Your Plugins If You Haven’t Done So Already
We recommend upgrading your plugins to the newest version, because they have been patched.
By making sure that you’re upgraded to the latest versions, you don’t run the risk of becoming compromised by hackers exploiting these vulnerabilities.
Also, if you haven’t done so already, be sure to add a security plugin to your site like Wordfence, so that it can also check for these types of vulnerabilities for you.