SQL Injection in Booking Package Plugin for WordPress
CVE-2026-15335

7.5HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
11 July 2026

What is CVE-2026-15335?

The Booking Package plugin for WordPress has a vulnerability that allows for SQL Injection via the 'email' form parameter. This affects all versions up to and including 1.7.20, due to inadequate escaping of user input and insufficient SQL query preparation. Attackers without authentication can exploit this vulnerability to insert malicious SQL queries that may extract sensitive data from the database. Notably, the vulnerable REST API endpoint '/wp-json/booking-package/v1/request' has a permission callback that does not restrict access, allowing attackers to interact with it without any authentication, making the situation more critical. Although the parameter passes through an is_email validation, it still poses a significant risk.

Affected Version(s)

Booking Package 0 <= 1.7.20

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.