WordPress Plugin Vulnerabilities

Booking Calendar WpDevArt < 3.2.12 - Admin+ SQLi

Description

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

Affects Plugins

Plugin icon
booking-calendar
Fixed in 3.2.12

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/caa39613-aaf3-4e47-8866-8fda1f7fc15b

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
4.1 (medium)

Miscellaneous

Verified
No
WPVDB ID
cb943861-0f21-41d7-9ed3-a9260157e25e

Timeline

Publicly Published
2023-10-29 (about 6 months ago)
Added
2023-12-29 (about 4 months ago)
Last Updated
2023-12-29 (about 4 months ago)

Other

Published
Title
Published
2022-11-08
Title
Form Vibes < 1.4.6 - Admin+ SQLi
Published
2019-08-12
Title
Give <= 2.5.0 - SQL Injection
Published
2024-01-02
Title
WP SMS < 6.5.1 - Contributor+ SQLi to Reflected XSS
Published
2023-10-18
Title
iPanorama 360 – WordPress Virtual Tour Builder < 1.8.1 - Authenticated (Contributor+) SQL Injection via Shortcode
Published
2023-04-05
Title
Slimstat Analytics < 4.9.4 - Subscriber+ SQL Injection