PT-2026-54498 · Repute Infosystems · Bookingpress Appointment Booking Pro
H0Xilo
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-11823
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store service date' parameter of the bpa assign staffmember to slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes deep() on user-supplied POST data before it is interpolated verbatim into a SQL LIKE clause without use of $wpdb->prepare() or any parameterization. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bookingpress Appointment Booking Pro