Description

WordPress Plugin Advanced Booking Calendar is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin Advanced Booking Calendar version 1.6.1 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.6.2 or latest

References

https://twitter.com/lenonleite/status/1319304903186128896

Related Vulnerabilities

EspoCRM Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-14349)

Drupal Deserialization of Untrusted Data Vulnerability (CVE-2019-6340)

WordPress Plugin Real-Time Find and Replace Cross-Site Request Forgery (3.9)

WordPress Plugin Let Them Unsubscribe Multiple Unspecified Vulnerabilities (1.0)

WordPress Plugin SpeakOut! Email Petitions Cross-Site Scripting (2.13.2)

Severity

High

Classification

CWE-89 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update SQL Injection