PT-2026-54498 · Repute Infosystems · Bookingpress Appointment Booking Pro

H0Xilo

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-11823

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store service date' parameter of the bpa assign staffmember to slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes deep() on user-supplied POST data before it is interpolated verbatim into a SQL LIKE clause without use of $wpdb->prepare() or any parameterization. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-11823

Affected Products

Bookingpress Appointment Booking Pro