Bookly < 22.4 – Admin+ SQLi | CVE 2023-4691 | Plugin Vulnerabilities

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Proof of Concept

Go to Bookly> Settings > Logs
Do a search and intercept the request
The parameter `columns%5B0%5D%5Bdata%5D` with value `created_at` is vulnerable to payloads like the following `(select*from(select(sleep(10)))a)`
See the delay in the SQL query.

Affects Plugins

bookly-responsive-appointment-booking-tool

Fixed in 22.4

References

CVE

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Pablo Sanchez

Submitter

Pablo Sanchez

Verified

Yes

WPVDB ID

5085ec75-0795-4004-955d-e71b3d2c26c6

Timeline

Publicly Published

2023-09-25 (about 2 years ago)

Added

2023-09-25 (about 2 years ago)

Last Updated

2023-09-25 (about 2 years ago)

Other

Published

Title

Published

2022-03-07

Title

SpeakOut! Email Petitions < 2.14.15.1 - Unauthenticated SQLi

Published

2023-12-28

Title

Page Generator < 1.7.2 - Authenticated(Administrator+) SQL Injection

Published

2024-10-15

Title

Zoho CRM Lead Magnet < 1.7.9.8 - Contributor+ SQL Injection

Published

2017-01-26

Title

WordPress 3.5-4.7.1 - WP_Query SQL Injection

Published

2022-09-06

Title

Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated Blind SQLi