{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27095", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:24:05.456Z", "datePublished": "2026-03-25T16:14:56.549Z", "dateUpdated": "2026-03-25T16:14:56.549Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "bus-ticket-booking-with-seat-reservation", "product": "Bus Ticket Booking with Seat Reservation", "vendor": "magepeopleteam", "versions": [{"lessThanOrEqual": "<= 5.6.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:35.061Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Object Injection.<p>This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.6.0.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Object Injection.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.6.0."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:56.549Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/bus-ticket-booking-with-seat-reservation/vulnerability/wordpress-bus-ticket-booking-with-seat-reservation-plugin-5-6-2-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Bus Ticket Booking with Seat Reservation plugin <= 5.6.0 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Object Injection.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.6.0."}], "id": "CVE-2026-27095", "lastModified": "2026-03-25T17:16:56.637", "metrics": {}, "published": "2026-03-25T17:16:56.637", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/bus-ticket-booking-with-seat-reservation/vulnerability/wordpress-bus-ticket-booking-with-seat-reservation-plugin-5-6-2-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:40:01.786804+00:00", "value": {"mitigation_remediation": ["Update the Bus Ticket Booking with Seat Reservation plugin to the latest available version (\u22655.6.1, e.g., 5.6.2).", "If an upgrade cannot be applied immediately, deactivate or remove the plugin to prevent exploitation.", "Ensure that WordPress core and all other plugins are kept up to date and monitor site logs for unexpected serialization activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites running Magepeopleteam's Bus Ticket Booking with Seat Reservation plugin, versions up to and including 5.6.0. No other vendors or products are listed as affected.", "description_and_impact": "The plugin deserializes user\u2011supplied data without proper validation, enabling PHP object injection. An attacker who can supply crafted serialized objects can potentially execute arbitrary PHP code on the server, leading to full compromise of the application and underlying system. The weakness corresponds to the PHP Object Injection pattern identified by CWE-502.", "risk_and_exploitability": "Because no publicly available CVSS score or EPSS data is provided, precise severity quantification is unavailable. However, the nature of the vulnerability\u2014unvalidated deserialization of public input\u2014gives it a potentially high exploitability rating. Attackers could reach the vulnerable code path over the web by sending a crafted request that includes malicious serialized data, and if exploited they would gain complete control over the affected WordPress installation. The vulnerability has not yet been cataloged in the CISA KEV database, but the lack of a known exploit or mitigation status does not lower the perceived risk."}}}}, "created": "2026-03-25T21:43:49.930317+00:00", "updated": "2026-03-25T21:43:49.930346+00:00", "vendors": []}