Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin for WordPress. This vulnerability exists in all versions through 1.6.10.0 and allows unauthenticated attackers to exploit the 'fields' parameter. The issue arises from inadequate escaping of user-supplied data and insufficient preparation of the SQL query, enabling attackers to inject additional SQL commands. Exploitation of this vulnerability could lead to the extraction of sensitive information from the database, such as usernames, email addresses, and password hashes.

Impact

Exploitation of this vulnerability allows for SQL injection, where attackers can manipulate database queries to extract sensitive information from the database, including usernames, email addresses, and password hashes.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site with the 'fields' parameter. The absence of proper input validation and SQL query preparation will allow the injection of malicious SQL code. This can be done through the WordPress REST API or by manipulating form fields that are processed by the vulnerable plugin.

Remediation

Users are advised to update the Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin to version 1.6.10.2 or a newer patched version.