WordPress users are urged to take immediate action following the discovery of a critical SQL injection vulnerability (CVE-2024-1207) in the WP Booking Calendar plugin. The flaw, present in all versions up to and including 9.9, stems from insufficient escaping on the ‘calendar_request_params[dates_ddmmyy_csv]’ parameter. This vulnerability allows unauthenticated attackers to inject additional SQL queries into existing ones, potentially leading to the extraction of sensitive information from the database.
The severity of this vulnerability is reflected in its CVSS 3.x score of 9.8 (CRITICAL), indicating a high-risk scenario. The NVD and the Common Vulnerabilities and Exposures (CVE) List report a matching CVSS score, providing a unified understanding of the potential impact. Wordfence, the assigned CNA, emphasizes the critical nature of this vulnerability with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
To address this issue, a patch has been released. WordPress administrators are strongly advised to apply the patch promptly to mitigate the risk associated with this vulnerability. For detailed information on the patch, visit WordPress Trac.
Additionally, Wordfence has provided a comprehensive advisory that outlines the vulnerability’s technical details, impact, and steps for mitigation.
Reference:
