SQL Injection Vulnerability in Appointment Booking Calendar Plugin
CVE-2024-2341
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 9 April 2024
Summary
The Appointment Booking Calendar – Simply Schedule Appointments Booking Plugin for WordPress is susceptible to SQL Injection through the 'keys' parameter. This vulnerability arises from inadequate escaping of user-supplied input and insufficient validation of SQL queries. Authenticated users with subscriber-level access or higher can manipulate existing database queries, enabling the injection of additional SQL commands. This could lead to unauthorized access to sensitive data within the database, posing significant security risks to affected installations. All versions up to and including 1.6.7.7 are impacted, emphasizing the need for users to apply patches and updates promptly.
Affected Version(s)
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin * <= 1.6.7.7
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved