PT-2026-54630 · WordPress · Motopress Appointment Booking

Matilj

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-13454

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions MotoPress Appointment Booking versions prior to 2.4.6
Description Insufficient escaping of user-supplied input and lack of proper preparation in SQL queries allow authenticated attackers with the mpa appointment employee custom role to perform SQL Injection. By manipulating the s parameter, an attacker can append additional SQL queries to extract sensitive information from the database.
Recommendations Update the plugin to version 2.4.6 or later. Restrict access to the mpa appointment employee role to trusted users only.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-13454

Affected Products

Motopress Appointment Booking