SQL Injection Vulnerability in BookingPress Appointment Booking Pro Plugin for WordPress
CVE-2026-11823
7.5HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-11823?
The BookingPress Appointment Booking Pro plugin for WordPress has a vulnerability that allows SQL Injection through the 'store_service_date' parameter in the bpa_assign_staffmember_to_slots() function. This occurs in versions up to 5.7.1, where user-supplied data is inadequately processed using stripslashes_deep() and directly inserted into a SQL LIKE clause without sufficient parameterization or preparation. This flaw can empower unauthenticated attackers to manipulate SQL queries, potentially granting them access to sensitive information stored in the database.
Affected Version(s)
BookingPress Appointment Booking Pro 0 <= 5.7.1