WordPress Plugin Vulnerabilities

Advanced Booking Calendar <= 1.7.1 - Unauthenticated SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users

Affects Plugins

Plugin icon
advanced-booking-calendar
No known fix

References

CVE
CVE-2022-45822

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
minhtuanact
Verified
No
WPVDB ID
68794bf0-ac44-4160-bd37-14af2171b44d

Timeline

Publicly Published
2022-12-02 (about 3 years ago)
Added
2022-12-05 (about 3 years ago)
Last Updated
2022-12-05 (about 3 years ago)

Other

Published
Title
Published
2024-04-11
Title
Shopping Cart & eCommerce Store < 5.6.4 - Contributor+ SQL Injection
Published
2020-05-15
Title
Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection
Published
2024-04-29
Title
School Management Pro <= 10.3.4 - Authenticated (School Admin+) SQL Injection
Published
2025-02-21
Title
Doctor Appointment Booking <= 1.0.0 - Authenticated (Subscriber+) SQL Injection
Published
2025-04-04
Title
Falling things < 1.09 - Authenticated (Editor+) SQL Injection