CVE-2022-0658

Name of the Vulnerable Software and Affected Versions CommonsBooking WordPress plugin versions prior to 2.6.8

Description The issue arises from the lack of sanitization and escaping of the location parameter in the "calendar data" AJAX action, which is accessible to unauthenticated users. This oversight allows for unauthenticated SQL injection, as the parameter is used in dynamically constructed SQL queries.

Recommendations For versions prior to 2.6.8, update to version 2.6.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the "calendar data" AJAX action to authenticated users only, until a patch is applied.