cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-11726,https://securityvulnerability.io/vulnerability/CVE-2024-11726,SQL Injection Vulnerability in BookingPress Plugin for WordPress,"The BookingPress plugin for WordPress contains a vulnerability that allows authenticated users, specifically those with Contributor-level access or higher, to exploit an SQL Injection flaw through the 'category' parameter of the 'bookingpress_form' shortcode. Due to inadequate parameter escaping and insufficient preparation of the existing SQL query, attackers can manipulate the SQL statements to append their own queries. This can lead to the unauthorized extraction of sensitive information from the database, posing significant risks to web application security and user data integrity.",Wordpress,Appointment Booking Calendar Plugin And Scheduling Plugin – Bookingpress,6.5,MEDIUM,0.0004900000058114529,false,,false,false,false,,false,false,2024-12-24T11:09:50.216Z,0
CVE-2024-10540,https://securityvulnerability.io/vulnerability/CVE-2024-10540,SQL Injection Vulnerability in BookingPress Plugin,"The Appointment Booking Calendar Plugin and Scheduling Plugin, known as the BookingPress plugin for WordPress, is vulnerable to SQL Injection through the 'service' parameter of the 'bookingpress_form' shortcode. This vulnerability arises from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries. Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to inject additional SQL queries into existing requests, potentially enabling them to extract sensitive database information. Website administrators are advised to review their current versions and apply necessary updates to mitigate this security risk.",Wordpress,Appointment Booking Calendar Plugin And Scheduling Plugin – Bookingpress,6.5,MEDIUM,0.0006099999882280827,false,,false,false,false,,false,false,2024-11-02T02:15:00.000Z,0
CVE-2024-7350,https://securityvulnerability.io/vulnerability/CVE-2024-7350,Unauthorized Access to Administrator Accounts Through Plugin's Authentication Bypass,"The Appointment Booking Calendar Plugin and Online Scheduling Plugin developed by BookingPress for WordPress has a vulnerability that allows for authentication bypass in versions 1.1.6 to 1.1.7. This vulnerability arises from inadequate verification of user identity during the login process after a booking is completed. When the 'Auto login user after successful booking' feature is enabled, attackers without proper credentials can exploit this flaw to impersonate any registered user, including administrators, if they have access to the victim's email address.",Wordpress,Appointment Booking Calendar Plugin And Scheduling Plugin – Bookingpress,9.8,CRITICAL,0.0006300000241026282,false,,false,false,false,,false,false,2024-08-08T02:32:06.827Z,0
CVE-2024-6467,https://securityvulnerability.io/vulnerability/CVE-2024-6467,All Versions Vulnerable to Arbitrary File Read to Arbitrary File Creation,The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin for WordPress presents a significant security flaw due to its Arbitrary File Read and Arbitrary File Creation capabilities. Authenticated attackers with a Subscriber level of access or higher can exploit this vulnerability through the 'bookingpress_save_lite_wizard_settings_func' function. This exploitation enables them to create arbitrary files that could include sensitive server data or execute PHP code. The potential exposure includes critical sensitive information and poses severe risks to the integrity of the WordPress environment.,Wordpress,Bookingpress,8.8,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-07-17T07:15:00.000Z,0
CVE-2024-6660,https://securityvulnerability.io/vulnerability/CVE-2024-6660,Vulnerability in BookingPress Allows Authenticated Attackers to escalate Privileges,"The BookingPress – Appointment Booking Calendar Plugin for WordPress contains a vulnerability that allows unauthorized data modification. This arises from a missing capability check in the bookingpress_import_data_continue_process_func function, present in all versions up to and including version 1.1.5. Authenticated attackers with Subscriber-level access can exploit this flaw to modify arbitrary options on the WordPress site and upload files. This can potentially enable the attacker to change the default registration role to administrator, allowing them broad administrative access to vulnerable sites.",Wordpress,Bookingpress,8.8,HIGH,0.00044999999227002263,false,,false,false,false,,false,false,2024-07-17T07:15:00.000Z,0
CVE-2024-3022,https://securityvulnerability.io/vulnerability/CVE-2024-3022,Arbitrary File Upload Vulnerability in BookingPress Plugin,"The BookingPress plugin for WordPress presents a critical security issue related to its 'bookingpress_process_upload' function, where inadequate filename validation allows for arbitrary file uploads. This vulnerability is particularly concerning for authenticated users, especially those with administrator privileges, as it could lead to the uploading of malicious files onto the server. Once an unauthorized file is executed, it opens up the potential for remote code execution, posing significant risks to the integrity and security of the affected WordPress sites hosted with this plugin.",Wordpress,Bookingpress – Appointment Booking Calendar Plugin And Online Scheduling Plugin,7.2,HIGH,0.00044999999227002263,false,,false,false,false,,false,false,2024-04-04T02:15:00.000Z,0
CVE-2023-6219,https://securityvulnerability.io/vulnerability/CVE-2023-6219,Arbitrary File Upload Vulnerability in BookingPress Plugin for WordPress,"The BookingPress plugin for WordPress contains a vulnerability that permits authenticated users, specifically those with administrator privileges, to upload arbitrary files via the 'bookingpress_process_upload' function. This vulnerability arises from inadequate file validation checks, allowing attackers to potentially execute remote code on the server hosting the affected site. It affects all versions of the BookingPress plugin up to and including 1.0.76, emphasizing the need for users to update their installations to mitigate the risk.",Wordpress,Bookingpress – Appointment Booking Calendar Plugin And Online Scheduling Plugin,7.2,HIGH,0.003100000089034438,false,,false,false,false,,false,false,2023-11-28T03:15:00.000Z,0
CVE-2022-4340,https://securityvulnerability.io/vulnerability/CVE-2022-4340,BookingPress < 1.0.31 - Unauthenticated IDOR in appointment_id,"The BookingPress WordPress plugin before 1.0.31 suffers from an Insecure Direct Object Reference (IDOR) vulnerability in it's thank you page, allowing any visitor to display information about any booking, including full name, date, time and service booked, by manipulating the appointment_id query parameter.",Wordpress,Bookingpress,5.3,MEDIUM,0.0007600000244565308,false,,false,false,false,,false,false,2023-01-02T21:49:16.234Z,0
CVE-2022-0739,https://securityvulnerability.io/vulnerability/CVE-2022-0739,BookingPress < 1.0.11 - Unauthenticated SQL Injection,"The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection",Wordpress,Bookingpress – Appointments Booking Calendar Plugin And Online Scheduling Plugin,9.8,CRITICAL,0.022269999608397484,false,,false,false,true,true,false,false,2022-03-21T18:56:00.000Z,0