SQL Injection Vulnerability in BookingPress Plugin for WordPress
CVE-2024-11726

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Appointment Booking Calendar Plugin And Scheduling Plugin – Bookingpress
Vendor: CVE Published:; 24 December 2024

Summary

The BookingPress plugin for WordPress contains a vulnerability that allows authenticated users, specifically those with Contributor-level access or higher, to exploit an SQL Injection flaw through the 'category' parameter of the 'bookingpress_form' shortcode. Due to inadequate parameter escaping and insufficient preparation of the existing SQL query, attackers can manipulate the SQL statements to append their own queries. This can lead to the unauthorized extraction of sensitive information from the database, posing significant risks to web application security and user data integrity.

Affected Version(s)

Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress * <= 1.1.21

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3206780/book...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 24, 2024
Vulnerability Reserved
Nov 25, 2024

Credit

Khayal Farzaliyev