Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin Blind SQL Injection Vulnerability

A blind SQL injection vulnerability has been identified in the Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin for WordPress, affecting all versions through 1.6.9.27. The vulnerability arises from the 'db_where_conditions' method in the 'TD_DB_Model' class, which does not properly validate the 'append_where_sql' parameter in JSON request bodies. This oversight allows unauthenticated attackers to append arbitrary SQL commands to database queries, potentially leading to the extraction of sensitive information. Exploitation requires a valid 'public_token', which is unintentionally exposed during the booking process.

Impact

Exploitation of this vulnerability allows for blind SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access or modification.

Reproduction

To reproduce this vulnerability, send a JSON payload containing the 'append_where_sql' parameter with a public token obtained during the booking process. The 'db_where_conditions' method will execute the appended SQL commands, allowing for SQL injection.

Remediation

Users are advised to update the Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin to version 1.6.9.29 or later.