CVE-2022-0694

Name of the Vulnerable Software and Affected Versions Advanced Booking Calendar WordPress plugin versions prior to 1.7.0

Description The issue concerns an unauthenticated SQL injection. It occurs because the calendar parameter is not properly validated and escaped before being used in a SQL statement via the abc booking getSingleCalendar AJAX action. This action is accessible to both unauthenticated and authenticated users.

Recommendations For versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the abc booking getSingleCalendar AJAX action to minimize the risk of exploitation.