WordPress Plugin Vulnerabilities

Diary & Availability Calendar <= 1.0.3 - Authenticated (subscriber+) SQL Injection

Description

The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user.

Proof of Concept

Affects Plugins

Plugin icon
diary-availability-calendar
No known fix

References

CVE
CVE-2021-24555
URL
https://codevigilant.com/disclosure/2021/wp-plugin-diary-availability-calendar/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
WPVDB ID
8eafd84b-6214-450b-869b-0afe7cca4c5f

Timeline

Publicly Published
2021-07-24 (about 4 years ago)
Added
2021-07-24 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2017-07-19
Title
Task Manager Pro < 3.6.34 - Follower+ SQLi
Published
2025-07-01
Title
LifterLMS < 8.0.7 - Unauthenticated SQL Injection
Published
2025-04-01
Title
Front End Users < 3.2.33 - Authenticated (Admin+) SQL injection
Published
2023-07-18
Title
WP Donate < 1.5 - Unauthenticated SQL Injection
Published
2025-04-07
Title
3DPrint Lite <=2.1.3.6 - Authenticated (Admin+) SQL Injection via 'infill_text'