Vulnerability Description
The WP Simple Booking Calendar WordPress plugin before 2.0.6 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wpsimplebookingcalendar | Wp Simple Booking Calendar | < 2.0.6 |
Related Weaknesses (CWE)
References
- https://wpscan.com/vulnerability/f85b6033-d7c1-45b7-b3b0-8967f7373bb8ExploitThird Party Advisory
- https://www.trustwave.com/en-us/resources/security-resources/security-advisoriesExploitThird Party Advisory
- https://wpscan.com/vulnerability/f85b6033-d7c1-45b7-b3b0-8967f7373bb8ExploitThird Party Advisory
- https://www.trustwave.com/en-us/resources/security-resources/security-advisoriesExploitThird Party Advisory
FAQ
What is CVE-2021-24726?
CVE-2021-24726 is a vulnerability with a CVSS score of 8.8 (HIGH). The WP Simple Booking Calendar WordPress plugin before 2.0.6 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to a...
How severe is CVE-2021-24726?
CVE-2021-24726 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24726?
Check the references section above for vendor advisories and patch information. Affected products include: Wpsimplebookingcalendar Wp Simple Booking Calendar.