Description
WordPress Plugin Appointments is prone to a vulnerability that lets remote attackers inject and execute arbitrary code because the application fails to sanitize user-supplied input before being passed to the unserialize() PHP function. Attackers can possibly exploit this issue to execute arbitrary PHP code within the context of the affected webserver process. WordPress Plugin Appointments version 2.2.1 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 2.2.2 or latest
References
https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/
https://plugins.svn.wordpress.org/appointments/trunk/changelog.txt
Related Vulnerabilities
WebLogic CVE-2020-13956 Vulnerability (CVE-2020-13956)
WordPress Plugin Advanced Custom Fields (ACF) Multiple Security Bypass Vulnerabilities (5.10.2)
MySQL CVE-2018-3247 Vulnerability (CVE-2018-3247)
Apache mod_rewrite off-by-one buffer overflow vulnerability
WordPress Plugin VikBooking Hotel Booking Engine & PMS Multiple Vulnerabilities (1.5.7)