CVE-2024-1207
📋 TL;DR
This SQL injection vulnerability in the WP Booking Calendar WordPress plugin allows unauthenticated attackers to inject malicious SQL queries through the 'calendar_request_params[dates_ddmmyy_csv]' parameter. This can lead to sensitive database information extraction. All WordPress sites using WP Booking Calendar version 9.9 or earlier are affected.
💻 Affected Systems
- WP Booking Calendar WordPress Plugin
📦 What is this software?
Booking Calendar by Wpbookingcalendar
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, sensitive booking data, and potential privilege escalation leading to full site takeover.
Likely Case
Extraction of sensitive booking information, user data, and potentially WordPress authentication credentials from the database.
If Mitigated
Limited information disclosure if database permissions are properly restricted and WAF rules block SQL injection attempts.
🎯 Exploit Status
SQL injection via unauthenticated parameter makes exploitation straightforward for attackers with basic SQL knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.9.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3032596%40booking&new=3032596%40booking&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Booking Calendar. 4. Click 'Update Now' if available. 5. Alternatively, download version 9.9.1+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Web Application Firewall Rule
allImplement WAF rules to block SQL injection patterns targeting the vulnerable parameter
Plugin Deactivation
linuxTemporarily disable the WP Booking Calendar plugin until patched
wp plugin deactivate booking
🧯 If You Can't Patch
- Implement strict input validation for the 'calendar_request_params[dates_ddmmyy_csv]' parameter
- Deploy a web application firewall with SQL injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WP Booking Calendar version 9.9 or earlierCheck Version:
wp plugin get booking --field=versionVerify Fix Applied:
Confirm WP Booking Calendar version is 9.9.1 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests to booking calendar endpoints with SQL-like parameters
Network Indicators:
- HTTP POST requests containing SQL injection patterns in 'calendar_request_params[dates_ddmmyy_csv]' parameter
SIEM Query:
source="web_logs" AND uri="*wp-booking-calendar*" AND (param="*dates_ddmmyy_csv*" AND value="*UNION*" OR value="*SELECT*" OR value="*INSERT*" OR value="*DELETE*")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3032596%40booking&new=3032596%40booking&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7802ed1f-138c-4a3d-916c-80fb4f7699b2?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3032596%40booking&new=3032596%40booking&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7802ed1f-138c-4a3d-916c-80fb4f7699b2?source=cve
