CVE-2022-1006

CWE-89 — SQL Injection4 documents4 sources

Severity

7.2HIGH

EPSS

0.6%

top 29.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Advanced Booking Calendar Elbtide Advanced Booking Calendar

Timeline

PublishedApr 11

Latest updateApr 12

Description

The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5unknown/advanced_booking_calendar1.7.1 — 1.7.1

▶NVDelbtide/advanced_booking_calendar< 1.7.1

Patches

Patch: plugins.trac.wordpress.org ↗Patch: wpscan.com ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-wr35-3f65-j6mc: The Advanced Booking Calendar WordPress plugin before 1↗2022-04-12

▶

CVEList

Advanced Booking Calendar < 1.7.1 - Admin+ SQLi↗2022-04-11

▶

VulnCheck

elbtide advanced_booking_calendar Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')↗2022

▶