平台
wordpress
组件
booking
修复版本
9.9.1
CVE-2024-1207 is a critical SQL Injection vulnerability affecting the WP Booking Calendar plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data extraction. The vulnerability impacts versions of the plugin up to and including 9.9. A patch is available; immediate action is recommended.
The SQL Injection vulnerability in WP Booking Calendar allows attackers to manipulate database queries directly. Successful exploitation could enable attackers to extract sensitive information such as user credentials, booking details, and potentially even administrative data. Depending on the database schema and permissions, an attacker might be able to modify or delete data, leading to data loss or service disruption. This vulnerability is particularly concerning given the plugin's potential use in handling sensitive customer information and appointment scheduling.
CVE-2024-1207 was publicly disclosed on 2024-02-08. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and ease of exploitation make it a high-priority target. No KEV listing is currently available. Public proof-of-concept code is likely to emerge, increasing the risk of widespread exploitation.
Websites utilizing the WP Booking Calendar plugin, particularly those handling sensitive user data or financial transactions, are at significant risk. Shared hosting environments where plugin updates are managed by the hosting provider are also vulnerable if they haven't applied the patch. Businesses relying on the plugin for appointment scheduling and customer management should prioritize remediation.
• wordpress / composer / npm:
grep -r 'calendar_request_params[dates_ddmmyy_csv]' /var/www/html/wp-content/plugins/wp-booking-calendar/• wordpress / composer / npm:
wp plugin list --status=active | grep 'wp-booking-calendar'• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/wp-booking-calendar/ | grep -i 'wp-booking-calendar'disclosure
漏洞利用状态
EPSS
78.70% (99% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-1207 is to immediately update the WP Booking Calendar plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out malicious SQL injection attempts targeting the 'calendarrequestparams[datesddmmyycsv]' parameter. Additionally, review and restrict database user permissions to limit the potential impact of a successful attack. After upgrade, confirm by attempting a booking with a deliberately malformed date string and verifying that the query is properly sanitized.
Actualice el plugin WP Booking Calendar a la última versión disponible. La vulnerabilidad de inyección SQL se ha corregido en versiones posteriores a la 9.9. Consulte el registro de cambios del plugin para obtener más detalles sobre la corrección.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-1207 is a critical SQL Injection vulnerability in the WP Booking Calendar plugin for WordPress, allowing attackers to extract data via parameter manipulation.
You are affected if you are using WP Booking Calendar version 9.9 or earlier. Check your plugin version and update immediately.
Update the WP Booking Calendar plugin to the latest available version. Consider a WAF rule as a temporary mitigation if upgrading is not immediately possible.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target.
Refer to the WP Booking Calendar plugin's official website or WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。