SQL Injection Vulnerability in BookingPress Plugin
CVE-2024-10540

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Appointment Booking Calendar Plugin And Scheduling Plugin – Bookingpress
Vendor: CVE Published:; 2 November 2024

Summary

The Appointment Booking Calendar Plugin and Scheduling Plugin, known as the BookingPress plugin for WordPress, is vulnerable to SQL Injection through the 'service' parameter of the 'bookingpress_form' shortcode. This vulnerability arises from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries. Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to inject additional SQL queries into existing requests, potentially enabling them to extract sensitive database information. Website administrators are advised to review their current versions and apply necessary updates to mitigate this security risk.

Affected Version(s)

Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress * <= 1.1.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/bookingpress-a...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 2, 2024

Credit

Arkadiusz Hydzik