CVE-2018-20556
published 2019-03-21CVE-2018-20556: SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id…
PriorityP269high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.24%
97.0th percentile
SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| booking_calendar_project | booking_calendar | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67↗
- →Monitor POST requests containing the 'booking_id' parameter with SQL metacharacters (e.g., parentheses, AND SLEEP, boolean expressions) targeting the Booking Calendar plugin endpoint (action=TRASH_RESTORE). ↗
- →Detect time-based blind SQLi attempts by alerting on POST requests where 'booking_id' contains ') AND SLEEP(' patterns, indicating exploitation of CVE-2018-20556. ↗
- →Watch for sqlmap-style requests targeting the booking_id parameter, including use of --sql-shell, --os-shell, or --os-cmd flags which indicate attempted shell acquisition via SQLi. ↗
- ·Exploitation requires authentication — the attacker must have valid WordPress credentials (e.g., a subscriber or higher role) before the SQL injection can be triggered. ↗
- ·Older versions of the plugin prior to 8.4.3 may also be affected, so detection/blocking rules should not be scoped exclusively to version 8.4.3. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/151692/WordPress-Booking-Calendar-8.4.3-SQL-Injection.htmlhttps://gist.github.com/B0UG/a750c2c204825453e6faf898ea6d09f6https://vulners.com/exploitdb/EDB-ID:46377https://www.exploit-db.com/exploits/46377/http://packetstormsecurity.com/files/151692/WordPress-Booking-Calendar-8.4.3-SQL-Injection.htmlhttps://gist.github.com/B0UG/a750c2c204825453e6faf898ea6d09f6https://vulners.com/exploitdb/EDB-ID:46377https://www.exploit-db.com/exploits/46377/
2019-03-21
Published