cbcvebase.
CVE-2022-0658
published 2022-03-14

CVE-2022-0658: The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.85%
94.6th percentile
The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection

Affected

1 ranges
VendorProductVersion rangeFixed in
wielebenwircommonsbooking< 2.6.82.6.8

Detection & IOCsextracted from sources · hover to see the quote

otherstatus_code == 200 && contains(header, "application/json") && contains(body, "partiallyBookedDays") && contains(body, "lockDays")
  • Target the `calendar_data` AJAX action endpoint (wp-admin/admin-ajax.php?action=calendar_data) with a manipulated `location` parameter to detect SQL injection attempts; no authentication is required.
  • A successful exploitation response will return HTTP 200 with Content-Type application/json and a body containing both `partiallyBookedDays` and `lockDays` keys, which can be used as a positive indicator in detection rules.
  • ·The vulnerability affects CommonsBooking WordPress plugin versions before 2.6.8; ensure detection rules are scoped to installations running versions below this threshold.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.