WordPress Plugin Vulnerabilities

Bookly < 22.4 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Proof of Concept

Go to Bookly> Settings > Logs
Do a search and intercept the request
The parameter `columns%5B0%5D%5Bdata%5D` with value `created_at` is vulnerable to payloads like the following `(select*from(select(sleep(10)))a)`
See the delay in the SQL query.

Affects Plugins

Plugin icon
bookly-responsive-appointment-booking-tool
Fixed in 22.4

References

CVE
CVE-2023-4691

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Pablo Sanchez
Submitter
Pablo Sanchez
Verified
Yes
WPVDB ID
5085ec75-0795-4004-955d-e71b3d2c26c6

Timeline

Publicly Published
2023-09-25 (about 7 months ago)
Added
2023-09-25 (about 7 months ago)
Last Updated
2023-09-25 (about 7 months ago)

Other

Published
Title
Published
2017-05-02
Title
Photo Gallery by WD <= 1.3.35 - Authenticated SQL Injection
Published
2014-08-01
Title
All Video Gallery - Multiple SQL Injection Vulnerabilities
Published
2024-04-18
Title
Forminator < 1.29.3 - Admin+ SQL Injection
Published
2022-12-12
Title
LetsRecover < 1.2.0 - Unauthenticated SQLi
Published
2024-03-26
Title
Photos and Files Contest Gallery < 21.3.2.1 - Authenticated (Contributor+) SQL Injection