CVE-2025-64266 is a vulnerability classified as deserialization of untrusted data in the magepeopleteam Booking and Rental Manager plugin for WooCommerce, affecting all versions up to and including 2.5.4. This vulnerability allows an attacker with low privileges (authenticated user) to inject malicious objects during the deserialization process, which can lead to arbitrary code execution or other severe impacts such as data leakage or service disruption. The root cause lies in the plugin's failure to properly validate or sanitize serialized data inputs before deserializing them, a common security pitfall that enables object injection attacks. The CVSS v3.1 base score of 8.8 reflects the vulnerability's high impact on confidentiality, integrity, and availability, combined with its network attack vector and low attack complexity. No user interaction is required, and the attacker only needs low privileges, which increases the risk profile. While no public exploits have been reported yet, the vulnerability is publicly disclosed and should be considered exploitable. The Booking and Rental Manager plugin is widely used in e-commerce environments that rely on WooCommerce for managing bookings and rentals, making this a critical concern for affected organizations. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts to reduce exposure.

For European organizations, exploitation of CVE-2025-64266 could lead to severe consequences including unauthorized access to sensitive customer and business data, manipulation or deletion of booking and rental records, and potential full system compromise if the attacker achieves remote code execution. This can disrupt business operations, cause financial losses, and damage reputation. Given the plugin’s role in managing bookings and rentals, availability impacts could directly affect customer service and revenue streams. The vulnerability’s low privilege requirement means that even compromised or malicious low-level users could escalate their impact, increasing insider threat risks. Organizations in sectors such as travel, hospitality, car rentals, and event management that rely on WooCommerce and this plugin are particularly vulnerable. Additionally, GDPR compliance risks arise from potential data breaches involving personal data, leading to regulatory penalties.

1. Immediately restrict access to the Booking and Rental Manager plugin interfaces to trusted users only, employing strict access controls and monitoring. 2. Disable or uninstall the plugin if it is not essential or if no patch is available yet. 3. Monitor logs and network traffic for unusual activity indicative of exploitation attempts, such as unexpected serialized data inputs or anomalous user behavior. 4. Apply principle of least privilege to all user accounts to minimize the risk posed by low-privilege attackers. 5. Once a vendor patch or update is released, prioritize testing and deployment in all affected environments. 6. Consider implementing Web Application Firewalls (WAF) with custom rules to detect and block suspicious serialized payloads targeting the plugin. 7. Educate administrators and developers about secure deserialization practices and the risks of object injection vulnerabilities. 8. Conduct regular security audits and vulnerability scans focusing on WooCommerce plugins and their configurations.