Platform
wordpress
Component
booking
Fixed in
9.9.1
CVE-2024-1207 is a critical SQL Injection vulnerability affecting the WP Booking Calendar plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data extraction. The vulnerability impacts versions of the plugin up to and including 9.9. A patch is available; immediate action is recommended.
The SQL Injection vulnerability in WP Booking Calendar allows attackers to manipulate database queries directly. Successful exploitation could enable attackers to extract sensitive information such as user credentials, booking details, and potentially even administrative data. Depending on the database schema and permissions, an attacker might be able to modify or delete data, leading to data loss or service disruption. This vulnerability is particularly concerning given the plugin's potential use in handling sensitive customer information and appointment scheduling.
CVE-2024-1207 was publicly disclosed on 2024-02-08. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and ease of exploitation make it a high-priority target. No KEV listing is currently available. Public proof-of-concept code is likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
78.70% (99% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-1207 is to immediately update the WP Booking Calendar plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out malicious SQL injection attempts targeting the 'calendarrequestparams[datesddmmyycsv]' parameter. Additionally, review and restrict database user permissions to limit the potential impact of a successful attack. After upgrade, confirm by attempting a booking with a deliberately malformed date string and verifying that the query is properly sanitized.
Update the WP Booking Calendar plugin to the latest available version. The SQL Injection vulnerability has been fixed in versions later than 9.9. See the plugin's changelog for more details about the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-1207 is a critical SQL Injection vulnerability in the WP Booking Calendar plugin for WordPress, allowing attackers to extract data via parameter manipulation.
You are affected if you are using WP Booking Calendar version 9.9 or earlier. Check your plugin version and update immediately.
Update the WP Booking Calendar plugin to the latest available version. Consider a WAF rule as a temporary mitigation if upgrading is not immediately possible.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target.
Refer to the WP Booking Calendar plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.