SQL Injection Vulnerability in BookingPress Appointment Booking Pro Plugin for WordPress
CVE-2026-11823

7.5HIGH

What is CVE-2026-11823?

The BookingPress Appointment Booking Pro plugin for WordPress has a vulnerability that allows SQL Injection through the 'store_service_date' parameter in the bpa_assign_staffmember_to_slots() function. This occurs in versions up to 5.7.1, where user-supplied data is inadequately processed using stripslashes_deep() and directly inserted into a SQL LIKE clause without sufficient parameterization or preparation. This flaw can empower unauthenticated attackers to manipulate SQL queries, potentially granting them access to sensitive information stored in the database.

Affected Version(s)

BookingPress Appointment Booking Pro 0 <= 5.7.1

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

h0xilo
.