Login Sign Up

CVE-2017-20206

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

The Appointments plugin for WordPress has a PHP object injection vulnerability that allows unauthenticated attackers to execute arbitrary code by deserializing malicious data from cookies. This affects all WordPress sites running Appointments plugin version 2.2.1 or earlier. Attackers were actively exploiting this to create backdoors using the WP_Theme() class.

💻 Affected Systems

Products:
  • WordPress Appointments Plugin
Versions: Up to and including 2.2.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Appointments plugin enabled. No special configuration needed.

📦 What is this software?

Appointments by Wpmudev

View all CVEs affecting Appointments →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing remote code execution, backdoor installation, data theft, and website defacement.

🟠

Likely Case

Backdoor installation leading to persistent unauthorized access, data exfiltration, and further malware deployment.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though the vulnerability still exists.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Actively exploited in the wild with known payloads targeting WP_Theme() class for backdoor creation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.2

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/1733186/appointments

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Appointments plugin. 4. Click 'Update Now' if available. 5. If not, download version 2.2.2+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the Appointments plugin until patched to prevent exploitation.

wp plugin deactivate appointments

Cookie Validation

all

Implement web application firewall rules to block or sanitize wpmudev_appointments cookie values.

🧯 If You Can't Patch

  • Disable the Appointments plugin immediately
  • Implement strict WAF rules to block malicious cookie payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Appointments version. If version is 2.2.1 or lower, you are vulnerable.

Check Version:

wp plugin get appointments --field=version

Verify Fix Applied:

Verify Appointments plugin version is 2.2.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests with wpmudev_appointments cookie
  • PHP unserialize errors in logs
  • Unexpected file creation in wp-content/themes

Network Indicators:

  • HTTP requests with serialized PHP objects in cookies
  • Traffic to known exploit domains

SIEM Query:

source="wordpress.log" AND "wpmudev_appointments" AND ("unserialize" OR "WP_Theme")

📊 Metadata

CVE ID: CVE-2017-20206
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
EPSS Score: 0.21% exploit probability (43.2th percentile)
Published: October 18, 2025
Last Updated: December 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-20206, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)