BookingPress < 1.0.11 - Unauthenticated SQL Injection
CVE-2022-0739

9.8CRITICAL

Key Information:

Vendor

Wordpress
Status
Bookingpress – Appointments Booking Calendar Plugin And Online Scheduling Plugin
Vendor
CVE Published:
21 March 2022

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 72%

What is CVE-2022-0739?

The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

BookingPress – Appointments Booking Calendar Plugin and Online Scheduling Plugin 1.0.11

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-0739
Created by BKreisel

CVE-2022-0739
Created by destr4ct

CVE-2022-0739
Created by Chris01s

References

https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-...
x_refsource_MISC
https://plugins.trac.wordpress.org/changeset/2684789
x_refsource_CONFIRM

EPSS Score

72% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

cydave
JSON
.