CVE-2022-0658
published 2022-03-14CVE-2022-0658: The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.85%
94.6th percentile
The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (available to unauthenticated users) before it is used in dynamically constructed SQL queries, leading to an unauthenticated SQL injection
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wielebenwir | commonsbooking | < 2.6.8 | 2.6.8 |
Detection & IOCsextracted from sources · hover to see the quote
otherstatus_code == 200 && contains(header, "application/json") && contains(body, "partiallyBookedDays") && contains(body, "lockDays")
- →Target the `calendar_data` AJAX action endpoint (wp-admin/admin-ajax.php?action=calendar_data) with a manipulated `location` parameter to detect SQL injection attempts; no authentication is required.
- →A successful exploitation response will return HTTP 200 with Content-Type application/json and a body containing both `partiallyBookedDays` and `lockDays` keys, which can be used as a positive indicator in detection rules.
- ·The vulnerability affects CommonsBooking WordPress plugin versions before 2.6.8; ensure detection rules are scoped to installations running versions below this threshold.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
CommonsBooking < 2.6.8 - SQL Injection
nuclei·CVSS 9.8
CVE-2022-0658 [CRITICAL] CommonsBooking < 2.6.8 - SQL Injection
CommonsBooking =6'
- 'status_code == 200'
- 'contains(header, "application/json")'
- 'contains(body, "partiallyBookedDays") && contains(body, "lockDays")'
condition: and
# digest: 4b0a00483046022100ee75903e291664485a8c4b17cedc68da941a72371d9a089a3dc4efb907b5555f022100c282de28022986046b7fe92c25c72cf9b86b98ca04e5102500a90fdb27c7911e:922c64590222798bb761d5b6d8e72950
2022-03-14
Published