SQL Injection Vulnerability in MotoPress Appointment Booking Plugin for WordPress
CVE-2026-13454

6.5MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
1 July 2026

What is CVE-2026-13454?

The MotoPress Appointment Booking plugin for WordPress is exposed to SQL Injection via the 's' parameter. This vulnerability arises from improper escaping of user inputs and inadequate preparation of SQL queries. Authenticated attackers with the 'mpa_appointment_employee' role can exploit this vulnerability to inject malicious SQL commands, potentially leading to unauthorized access to sensitive information stored in the database. It is essential for users of this plugin to apply security measures and updates promptly to mitigate possible exploitation risks.

Affected Version(s)

MotoPress Appointment Booking 0 <= 2.4.5

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MatilJ
.