Vulnerability Description
The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (available to both unauthenticated and authenticated users), leading to an unauthenticated SQL injection
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Elbtide | Advanced Booking Calendar | < 1.7.0 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/2682086PatchThird Party Advisory
- https://wpscan.com/vulnerability/990d1b0a-dbd1-42d0-9a40-c345407c6fe0ExploitThird Party Advisory
- https://plugins.trac.wordpress.org/changeset/2682086PatchThird Party Advisory
- https://wpscan.com/vulnerability/990d1b0a-dbd1-42d0-9a40-c345407c6fe0ExploitThird Party Advisory
FAQ
What is CVE-2022-0694?
CVE-2022-0694 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Advanced Booking Calendar WordPress plugin before 1.7.0 does not validate and escape the calendar parameter before using it in a SQL statement via the abc_booking_getSingleCalendar AJAX action (av...
How severe is CVE-2022-0694?
CVE-2022-0694 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-0694?
Check the references section above for vendor advisories and patch information. Affected products include: Elbtide Advanced Booking Calendar.