SQL Injection Vulnerability in Appointment Booking Calendar Plugin
CVE-2024-2341

6.5MEDIUM

Key Information:

Summary

The Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin for WordPress is susceptible to SQL Injection through the 'keys' parameter. This vulnerability arises from inadequate escaping of user-supplied input and insufficient validation of SQL queries. Authenticated users with subscriber-level access or higher can manipulate existing database queries, enabling the injection of additional SQL commands. This could lead to unauthorized access to sensitive data within the database, posing significant security risks to affected installations. All versions up to and including 1.6.7.7 are impacted, emphasizing the need for users to apply patches and updates promptly.

Affected Version(s)

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin * <= 1.6.7.7

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Krzysztof Zając
.
🍪 This website uses cookies, like every other website on the internet 😕 By using our website, you consent to the use of cookies.