- Description
- The Booking Calendar WpDevArt plugin is vulnerable to time-based, blind SQL injection via the `id` parameter in the “wpdevart_booking_calendar” shortcode in versions up to, and including, 3.2.19 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. The vulnerability requires the “delete_prev_date” theme option being enabled. This makes it possible for authenticated attackers, with contributor-level access or above, to append additional SQL queries into already existing query that can be used to extract sensitive information such as passwords from the database.
- Source
- security@wordfence.com
- NVD status
- Received
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
- security@wordfence.com
- CWE-89
- Hype score
- Not currently trending
CVE-2024-10856 Time-Based Blind SQL Injection in Booking Calendar WpDevArt Plugin The Booking Calendar WpDevArt plugin has a time-based, blind SQL injection vulnerability. This issue is through the `id` parameter... https://t.co/dqYnsAxTju
@VulmonFeeds
24 Dec 2024
60 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
CVE-2024-10856 The Booking Calendar WpDevArt plugin is vulnerable to time-based, blind SQL injection via the `id` parameter in the “wpdevart_booking_calendar” shortcode in versions … https://t.co/QZZcT5GhMX
@CVEnew
24 Dec 2024
388 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes