Booking calendar, Appointment Booking System < 3.2.9 – Multiple Authenticated(Editor+) SQL Injection | Plugin Vulnerabilities

Description

The Booking calendar plugin for WordPress is vulnerable to SQL Injection via the search functionality on multiple administrative pages in versions up to, and including, 3.2.8 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with Editor privileges and above to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note that the Pro version of the plugin allows administrators to grant access to the plugin's Administrative pages to any user role, so other roles may be able to exploit the vulnerability if they have been granted access.

Affects Plugins

booking-calendar

Fixed in 3.2.9

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a02f4fc4-42ca-4f8e-9c28-bfa69644e7b6

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

d31cae4e-034d-4007-b7c1-8e4ddd4de8e7

Timeline

Publicly Published

2023-09-12 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2023-12-11 (about 2 years ago)

Other

Published

Title

Published

2024-04-11

Title

Shopping Cart & eCommerce Store < 5.6.4 - Contributor+ SQL Injection

Published

2026-05-04

Title

WebinarIgnition <= 4.09.1 - Unauthenticated SQL Injection

Published

2025-12-05

Title

Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI < 3.41.0 - Authenticated (Contributor+) SQL Injection via ORDER BY Clause

Published

2024-10-13

Title

ShortPixel Image Optimizer < 5.6.4 - Authenticated (Editor+) SQL Injection

Published

2025-06-11

Title

Woocommerce Partial Shipment < 3.3 - Authenticated (Subscriber+) SQL Injection