SQL Injection Vulnerability in Booking Calendar Plugin by WordPress
CVE-2026-15289
5.9MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-15289?
A vulnerability exists in the Appointment Booking System plugin for WordPress, enabling unauthenticated attackers to exploit time-based SQL Injection attacks via the 'wpdevart_id' parameter. This flaw arises from inadequate escaping of user-supplied data and improper preparation of SQL queries, making it possible to append harmful SQL queries to legitimate ones. To exploit this vulnerability, users must have the Pro version of the plugin installed and the 'Delete previous dates' option enabled, which increases the risk of sensitive data exposure from the database.
Affected Version(s)
Booking calendar, Appointment Booking System 0 <= 3.2.17