GHSA-6qfc-c5qp-6g6qHighCVSS 7.5
The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via...
🔗 CVE IDs covered (1)
📋 Description
The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes_deep() on user-supplied POST data before it is interpolated verbatim into a SQL LIKE clause without use of $wpdb->prepare() or any parameterization. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
🔗 References (4)
- https://nvd.nist.gov/vuln/detail/CVE-2026-11823
- https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking-pro/trunk/core/classes/class.bookingpress_pro_staff_members.php#L3353
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1663be8e-a6b8-4e0d-97d0-af7db2a2875c?source=cve
- https://github.com/advisories/GHSA-6qfc-c5qp-6g6q