CVE-2024-10540

Name of the Vulnerable Software and Affected Versions BookingPress plugin for WordPress versions up to, and including, 1.1.16

Description The BookingPress plugin for WordPress is vulnerable to SQL Injection via the service parameter of the bookingpress form shortcode due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Recommendations Update to the latest version to mitigate risks. As a temporary workaround, consider restricting access to the bookingpress form shortcode to minimize the risk of exploitation. Avoid using the service parameter in the affected shortcode until the issue is resolved.