SQL Injection Vulnerability in MotoPress Appointment Booking Plugin for WordPress
CVE-2026-13454
6.5MEDIUM
What is CVE-2026-13454?
The MotoPress Appointment Booking plugin for WordPress is exposed to SQL Injection via the 's' parameter. This vulnerability arises from improper escaping of user inputs and inadequate preparation of SQL queries. Authenticated attackers with the 'mpa_appointment_employee' role can exploit this vulnerability to inject malicious SQL commands, potentially leading to unauthorized access to sensitive information stored in the database. It is essential for users of this plugin to apply security measures and updates promptly to mitigate possible exploitation risks.
Affected Version(s)
MotoPress Appointment Booking 0 <= 2.4.5