Pinpoint Booking System < 2.9.9.2.9 - Subscriber+ SQLi
CVE-2023-0220
8.8HIGH
Summary
The Pinpoint Booking System Plugin for WordPress, prior to version 2.9.9.2.9, lacks proper validation and escaping of a shortcode attribute in its SQL statements. This oversight may allow authenticated users, including those with minimal privileges like subscribers, to execute SQL Injection attacks, potentially compromising the integrity and confidentiality of the underlying database.
Affected Version(s)
Pinpoint Booking System 0 < 2.9.9.2.9
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Lana Codes
WPScan