CVE-2024-10540
📋 TL;DR
This SQL injection vulnerability in the BookingPress WordPress plugin allows authenticated attackers with Subscriber-level access or higher to inject malicious SQL queries through the 'service' parameter. This can lead to unauthorized data extraction from the WordPress database, potentially exposing sensitive information like user credentials, personal data, or other confidential content stored in the database.
💻 Affected Systems
- BookingPress Appointment Booking and Scheduling Plugin for WordPress
📦 What is this software?
Bookingpress by Reputeinfosystems
⚠️ Risk & Real-World Impact
Worst Case
Attackers could extract the entire WordPress database including user credentials (hashed passwords), personal information, payment details if stored, and potentially gain administrative access to the WordPress site.
Likely Case
Attackers extract user data, email addresses, and potentially escalate privileges by accessing administrator credentials or modifying user roles.
If Mitigated
With proper input validation and parameterized queries, the SQL injection would be prevented, limiting impact to normal plugin functionality.
🎯 Exploit Status
SQL injection vulnerabilities in WordPress plugins are frequently weaponized. Requires authenticated access but Subscriber is the lowest WordPress user role.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.17 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find BookingPress plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.1.17+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable BookingPress Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate bookingpress-appointment-booking
Restrict User Registration
allDisable new user registration to prevent attackers from obtaining Subscriber accounts
Update WordPress Settings → General → Membership: Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the 'service' parameter
- Remove or restrict Subscriber-level access to affected WordPress sites
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → BookingPress version. If version is 1.1.16 or lower, you are vulnerable.Check Version:
wp plugin get bookingpress-appointment-booking --field=versionVerify Fix Applied:
Verify BookingPress plugin version is 1.1.17 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in WordPress or database logs
- Multiple failed login attempts followed by successful Subscriber login
- Unusual database SELECT queries from WordPress application user
Network Indicators:
- HTTP POST requests to WordPress with SQL injection patterns in 'service' parameter
- Unusual database traffic from web server
SIEM Query:
source="wordpress.log" AND "bookingpress" AND ("service=" OR "SQL" OR "UNION" OR "SELECT")🔗 References
- https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking/trunk/core/classes/class.bookingpress.php#L358
- https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking/trunk/core/classes/frontend/class.bookingpress_appointment_bookings.php#L3683
- https://plugins.trac.wordpress.org/browser/bookingpress-appointment-booking/trunk/core/classes/frontend/class.bookingpress_appointment_bookings.php#L4620
- https://plugins.trac.wordpress.org/changeset/3179229/bookingpress-appointment-booking/trunk/core/classes/frontend/class.bookingpress_appointment_bookings.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/21690b9c-ffec-4195-8c0f-2b1801552bc6?source=cve
