CVE-2024-54280

9.3 CRITICAL

SQL Injection

📋 TL;DR

This SQL injection vulnerability in the WPBookit WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affects all WordPress sites running WPBookit versions up to 1.6.0, potentially compromising sensitive data.

💻 Affected Systems

Products:

• WPBookit WordPress Plugin

Versions: All versions up to and including 1.6.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with WPBookit plugin enabled, regardless of configuration.

📦 What is this software?

Wpbookit by Iqonic

View all CVEs affecting Wpbookit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized access to sensitive user data, booking information, and potential administrative account takeover.

🟢

If Mitigated

Limited data exposure if proper input validation and WAF rules are in place, but database integrity remains at risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized quickly, especially in WordPress plugins with large install bases.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.6.0

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-6-0-sql-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPBookit and update to latest version. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Disable WPBookit Plugin

all

Temporarily disable the vulnerable plugin until patched

Copy

wp plugin deactivate wpbookit

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns targeting WPBookit endpoints

🧯 If You Can't Patch

• Implement strict input validation and parameterized queries at application level
• Restrict database user permissions to minimum required for WPBookit functionality

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin panel > Plugins > Installed Plugins for WPBookit version 1.6.0 or earlier

Check Version:

Copy

wp plugin list --name=wpbookit --field=version

Verify Fix Applied:

Copy

Verify WPBookit plugin version is greater than 1.6.0 in WordPress admin

📡 Detection & Monitoring

Log Indicators:

• Unusual SQL error messages in WordPress debug logs
• Multiple failed SQL queries from single IP
• Suspicious POST/GET requests to WPBookit endpoints

Network Indicators:

• SQL injection patterns in HTTP requests to /wp-content/plugins/wpbookit/
• Unusual database connection spikes

SIEM Query:

Copy

source="wordpress.log" AND "wpbookit" AND ("SQL" OR "database" OR "mysql") AND (error OR warning)

📊 Metadata

CVE ID: CVE-2024-54280

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-89

Published: December 16, 2024

Last Updated: June 27, 2025

🔗 References

• https://patchstack.com/database/wordpress/plugin/wpbookit/vulnerability/wordpress-wpbookit-plugin-1-6-0-sql-injection-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54280, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)

CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)

CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)