CVE-2025-32571 HIGH

CVE-2025-32571: WordPress TuriTop Booking System Plugin <= 1.0.10 - PHP Object Injection vulnerability

Vendor Turitop

Product TuriTop Booking System

Weakness CWE-502 · Unsafe deserialization

Published April 17, 2025

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in TuriTop TuriTop Booking System turitop-booking-system allows Object Injection.This issue affects TuriTop Booking System: from n/a through <= 1.0.10.

Key dates

02Disclosure timeline

April 17, 2025 CVE published

April 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-32571 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

04Related CVE

CVE-2026-27685 Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration CVE-2026-7858 Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x CVE-2025-10771 jeecgboot JimuReport DB2 JDBC testConnection deserialization CVE-2026-7637 Boost <= 2.0.3 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie CVE-2021-24857 ToTop Link <= 1.7.1 - Unauthenticated PHP Object Injection