CVE-2022-0694 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2022-0694?

CVE-2022-0694 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress sites using the Advanced Booking Calendar plugin before version 1.7.0. Attackers can execute arbitrary SQL commands through the calendar parameter in the abc_booking_getSingleCalendar AJAX endpoint. All WordPress sites with vulnerable plugin versions are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress sites using the Advanced Booking Calendar plugin before version 1.7.0. Attackers can execute arbitrary SQL commands through the calendar parameter in the abc_booking_getSingleCalendar AJAX endpoint. All WordPress sites with vulnerable plugin versions are affected.

💻 Affected Systems

Products:

Advanced Booking Calendar WordPress Plugin

Versions: All versions before 1.7.0

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default plugin configuration. No special configuration required for exploitation.

📦 What is this software?

Advanced Booking Calendar by Elbtide

View all CVEs affecting Advanced Booking Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, or deletion, potentially leading to full site takeover and credential harvesting.

🟠

Likely Case

Database information disclosure, privilege escalation, or data manipulation affecting booking data and potentially other WordPress tables.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - Exploitable by unauthenticated attackers over the internet via AJAX requests.

🏢 Internal Only: MEDIUM - Still exploitable internally but requires network access to the WordPress instance.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SQL injection via calendar parameter. Public exploit code available through security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.0

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2682086

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Advanced Booking Calendar. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.7.0+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Remove or restrict access to the abc_booking_getSingleCalendar AJAX action

Add to theme's functions.php: remove_action('wp_ajax_abc_booking_getSingleCalendar', 'abc_booking_getSingleCalendar');
Add to theme's functions.php: remove_action('wp_ajax_nopriv_abc_booking_getSingleCalendar', 'abc_booking_getSingleCalendar');

Web Application Firewall rule

all

Block requests containing SQL injection patterns targeting the calendar parameter

WAF specific - create rule to block: POST requests to */wp-admin/admin-ajax.php with parameter 'action=abc_booking_getSingleCalendar' containing SQL keywords

🧯 If You Can't Patch

Disable the Advanced Booking Calendar plugin entirely
Implement strict input validation at the web server level using mod_security or similar

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Advanced Booking Calendar. If version is below 1.7.0, you are vulnerable.

Check Version:

wp plugin list --name=advanced-booking-calendar --field=version (if WP-CLI installed)

Verify Fix Applied:

After updating, verify plugin version shows 1.7.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-admin/admin-ajax.php with action=abc_booking_getSingleCalendar containing SQL keywords in calendar parameter
Unusual database queries from WordPress application user

Network Indicators:

HTTP POST requests with SQL injection payloads in calendar parameter to WordPress AJAX endpoints

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND post_data="*action=abc_booking_getSingleCalendar*" AND (post_data="*UNION*" OR post_data="*SELECT*" OR post_data="*INSERT*" OR post_data="*DELETE*")

📊 Metadata

CVE ID: CVE-2022-0694

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: March 21, 2022

Last Updated: November 21, 2024

🔗 References

https://plugins.trac.wordpress.org/changeset/2682086 Patch,Third Party Advisory
https://wpscan.com/vulnerability/990d1b0a-dbd1-42d0-9a40-c345407c6fe0 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2682086 Patch,Third Party Advisory
https://wpscan.com/vulnerability/990d1b0a-dbd1-42d0-9a40-c345407c6fe0 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0694, you might also want to check these: