On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations.
They received a response the same day and sent over their full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022.
As usual, all our ProtectYourWP clients who use this plugin were updated to the patched version within 24 hrs of its release.
Source: https://www.wordfence.com/blog/2022/04/php-object-injection-in-booking-calendar-plugin