CVE-2022-0694

CWE-89 — SQL Injection3 documents3 sources

Severity

9.8CRITICAL

EPSS

0.9%

top 24.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Advanced Booking Calendar Elbtide Advanced Booking Calendar

Timeline

PublishedMar 21

Latest updateMar 22

Description

The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5unknown/advanced_booking_calendar1.7.0 — 1.7.0

▶NVDelbtide/advanced_booking_calendar< 1.7.0

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-2j39-64q5-rjfv: The Advanced Booking Calendar WordPress plugin before 1↗2022-03-22

▶

CVEList

Advanced Booking Calendar < 1.7.0 - Unauthenticated SQL Injection↗2022-03-21

▶