WordPress Booking Calendar Plugin Vulnerable to SQL Injection Attacks – Update Now!

CVSScvssV3_1: 9.8

The popular WordPress plugin WP Booking Calendar is vulnerable to SQL injection attacks that could allow hackers to access sensitive information like user data.

SQL injection is a type of attack where malicious code is inserted into SQL queries via user input to gain unauthorized access to databases. In this case, hackers could craft specially crafted requests to the ‘calendar_request_params[dates_ddmmyy_csv]’ parameter to inject additional SQL queries that get executed on the backend.

This could reveal things like admin usernames and passwords, emails, names and other private details stored in the WordPress database. Attackers don’t even need valid login credentials to exploit this vulnerability.

All versions of WP Booking Calendar prior to 9.9 are affected. To protect your site, users should update to the latest version immediately or consider disabling the plugin until an update is available. Regular backups and strong passwords are also recommended to minimize any potential damage from exploits.

Staying on top of plugin and theme updates is one of the best ways to keep WordPress sites secure. Be sure to always update to the latest versions as soon as new releases are available.