WordPress Booking Calendar Plugin Vulnerable to SQL Injection Attacks – Update Now!

CVECVE-2024-1207
CVSScvssV3_1: 9.8
SourceCVE-2024-1207

The popular WordPress plugin WP Booking Calendar is vulnerable to SQL injection attacks that could allow hackers to access sensitive information like user data.

SQL injection is a type of attack where malicious code is inserted into SQL queries via user input to gain unauthorized access to databases. In this case, hackers could craft specially crafted requests containing additional SQL code through the ‘calendar_request_params[dates_ddmmyy_csv]’ parameter.

Without proper validation and escaping of user input, this additional code gets executed by the database as part of the intended query. This allows hackers to view, modify or delete data like admin credentials, emails and other private details.

All versions of WP Booking Calendar prior to 9.9 are affected. If you have this plugin installed, you should update to the latest version immediately to patch this security issue.

It’s also recommended to keep your WordPress installation and plugins up-to-date at all times. Use a strong and unique password for your admin account. Consider enabling two-factor authentication for added security. Monitor your website and database for any unauthorized access.

References