The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Appointment Booking Calendar Plugin and Scheduling Plugin for WordPress contains a critical PHP object injection vulnerability in versions through 1.1.28. The plugin fails to validate user-supplied data before passing it to PHP's deserialization functions, enabling unauthenticated attackers to inject malicious serialized objects. When a suitable gadget chain exists in the WordPress environment, this vulnerability can be exploited to achieve remote code execution (RCE) with the privileges of the web server. This poses an immediate threat to any WordPress installation using this plugin, as the attack requires no authentication and can be triggered remotely.
Casky's security skills leverage Claude AI with extended reasoning to detect the attack patterns associated with this deserialization vulnerability by analyzing code paths related to MITRE ATT&CK T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter). Practitioners using Casky would observe findings highlighting unsafe deserialization patterns, particularly PHP unserialize() calls without input validation, suspicious object instantiation sequences characteristic of gadget chain exploitation, and POST/GET parameter handling that directly reaches serialization functions. The platform would flag the absence of input sanitization checks, type validation, or use of safe alternatives like json_decode(), helping teams identify vulnerable plugin versions in their codebase before exploitation occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-12378. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation