Nxploited

**Name of the Vulnerable Software and Affected Versions** The Booking Manager WordPress plugin versions prior to 2.1.15 **Description** The Booking Manager WordPress plugin has an issue where a shortcode capable of deleting bookings is registered and accessible to users with contributor privileges or higher. Visiting a page containing this shortcode results in the deletion of bookings. **Recommendations** Update The Booking Manager WordPress plugin to version 2.1.15 or later.

**Name of the Vulnerable Software and Affected Versions** File Provider WordPress plugin versions 1.2.3 and earlier **Description** The issue arises from the File Provider WordPress plugin not properly sanitizing and escaping a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. This allows for potential attacks without the need for authentication. **Recommendations** For versions 1.2.3 and earlier, update to a version that properly sanitizes and escapes parameters used in SQL statements to prevent SQL injection attacks. As a temporary workaround, consider restricting access to the AJAX action or disabling it until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Likes and Dislikes Plugin versions up to and including 1.0.0 **Description** The issue allows unauthenticated attackers to inject SQL queries via the `post` parameter due to insufficient escaping of user-supplied input and lack of proper preparation of existing SQL queries. This enables attackers to extract sensitive information from the database by appending additional SQL queries to existing ones. **Recommendations** For versions up to and including 1.0.0, as a temporary workaround, consider restricting access to the `post` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.