CVE-2017-20206

CRITICAL EXPLOITED

Appointments plugin for WordPress <=2.2.1 - Code Injection

Title source: llm

Exploitation Summary

CVE-2017-20206 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.

References (3)

Core 3

Core References

Patch

https://plugins.trac.wordpress.org/changeset/1733186/appointments

Press/Media Coverage, Third Party Advisory

https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/7e8f230e-3f96-4efd-806d-72725b960303?source=cve

Scores

CVSS v3 9.8

EPSS 0.0067

EPSS Percentile 47.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2017-10-02

CWE

CWE-502

Status published

Products (2)

wpmudev/appointments < 2.2.1

wpmudev/Appointments < 2.2.2

Published Oct 18, 2025

Tracked Since Feb 18, 2026