Login
12 Feb 2024

SQL Injection Vulnerability in Booking Calendar

We recently saw a hacker probing for usage of the WordPress plugin Booking Calendar on our website and third-party websites with the following request:

/wp-content/plugins/booking/readme.txt

The changelog for the latest version of the plugin suggested a SQL injection vulnerability had been fixed in the plugin, “Fix vulnerability of possible unauthenticated sql injection (9.9.1.1).” The changes made in that version don’t show any obvious fix for that type of vulnerability, as there were no changes being made to any SQL statements.

Wordfence also made a vague claim of a SQL injection vulnerability being fixed in that version:

The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the ‘calendar_request_params[dates_ddmmyy_csv]’ parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Based on that, we were able to confirm that the plugin still has code that isn’t properly using prepared statements to prevent SQL injection, but that the new version limits the value of user input being passed when making a booking request to prevent SQL injection.

Making the situation more troubling is that the vulnerable code was only months old. So this isn’t legacy code that hasn’t been properly secured, but new code being introduced that is insecure.

It’s unclear to what extent hackers could exploit this, though, because of where the injection would occur.

Free Warning

As this vulnerability looks to be targeted by hackers, we are adding accurate data on it to the free data that comes with our Plugin Vulnerabilities plugin.

Proof of Concept

With the following proof of concept, a SQL syntax error will be shown with the WP_DEBUG setting set to true in the WordPress configuration file.

Make a booking request and then resend the request with the value of the input “calendar_request_params[dates_ddmmyy_csv]” set to “‘.1.1”.

No related posts.

Plugin Security Scorecard Grade for Booking Calendar

Checked on March 7, 2025
C+

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.