Booking calendar, Appointment Booking System < 3.2.18 – Unauthenticated Time-Based SQLi | Plugin Vulnerabilities

Description

The plugin is vulnerable to time-based SQL Injection via the ‘wpdevart_id’ parameter due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. In order to exploit the vulnerability, the Pro version of the plugin must be installed and activated, with the 'Delete previous dates' option checked.

Affects Plugins

booking-calendar

Fixed in 3.2.18

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8c052622-ac99-4069-b7df-41aea303ed9d

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

shaman0x01

Verified

No

WPVDB ID

62b4c75b-de24-47b6-95a4-a01f4aee2e95

Timeline

Publicly Published

2025-07-01 (about 11 months ago)

Added

2025-09-01 (about 9 months ago)

Last Updated

2025-09-01 (about 9 months ago)

Other

Published

Title

Published

2022-02-07

Title

RegistrationMagic < 5.0.2.2 - Admin+ SQL Injection

Published

2026-05-26

Title

Events Schedule - WordPress Events Calendar <= 2.7.2 - Authenticated (Subscriber+) SQL Injection

Published

2023-03-06

Title

WP Statistics < 14.0 - Authenticated SQLi

Published

2024-01-18

Title

Smart Manager < 8.28.0 - Admin+ SQL Injection

Published

2025-10-17

Title

PPOM – Product Addons & Custom Fields for WooCommerce < 33.0.16 - Unauthenticated SQL Injection