cbcvebase.
CVE-2018-20556
published 2019-03-21

CVE-2018-20556: SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id…

PriorityP269high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.24%
97.0th percentile
SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
booking_calendar_projectbooking_calendar

Detection & IOCsextracted from sources · hover to see the quote

commandaction=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67
path/wp-admin/ (Booking Calendar plugin page, POST to action=TRASH_RESTORE)
  • Monitor POST requests containing the 'booking_id' parameter with SQL metacharacters (e.g., parentheses, AND SLEEP, boolean expressions) targeting the Booking Calendar plugin endpoint (action=TRASH_RESTORE).
  • Detect time-based blind SQLi attempts by alerting on POST requests where 'booking_id' contains ') AND SLEEP(' patterns, indicating exploitation of CVE-2018-20556.
  • Watch for sqlmap-style requests targeting the booking_id parameter, including use of --sql-shell, --os-shell, or --os-cmd flags which indicate attempted shell acquisition via SQLi.
  • ·Exploitation requires authentication — the attacker must have valid WordPress credentials (e.g., a subscriber or higher role) before the SQL injection can be triggered.
  • ·Older versions of the plugin prior to 8.4.3 may also be affected, so detection/blocking rules should not be scoped exclusively to version 8.4.3.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.