SQL Injection in Booking Package Plugin for WordPress
CVE-2026-15335
What is CVE-2026-15335?
The Booking Package plugin for WordPress has a vulnerability that allows for SQL Injection via the 'email' form parameter. This affects all versions up to and including 1.7.20, due to inadequate escaping of user input and insufficient SQL query preparation. Attackers without authentication can exploit this vulnerability to insert malicious SQL queries that may extract sensitive data from the database. Notably, the vulnerable REST API endpoint '/wp-json/booking-package/v1/request' has a permission callback that does not restrict access, allowing attackers to interact with it without any authentication, making the situation more critical. Although the parameter passes through an is_email validation, it still poses a significant risk.
Affected Version(s)
Booking Package 0 <= 1.7.20