Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network POST with no interaction (AV:N/AC:L/PR:N/UI:N); read-only data extraction gives C:H with no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes_deep() on user-supplied POST data before it is interpolated verbatim into a SQL LIKE clause without use of $wpdb->prepare() or any parameterization. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Articles & Coverage 1
AnalysisAI
SQL injection in the BookingPress Appointment Booking Pro WordPress plugin (versions up to and including 5.7.1) allows unauthenticated attackers to inject SQL through the 'store_service_date' POST parameter of the bpa_assign_staffmember_to_slots() function, enabling extraction of sensitive database contents such as user credentials and PII. The flaw stems from stripslashes_deep() being applied to user input before it is concatenated directly into a LIKE clause without $wpdb->prepare(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that a target WordPress site have BookingPress Appointment Booking Pro version 5.7.1 or earlier installed and active, with the AJAX endpoint invoking bpa_assign_staffmember_to_slots() reachable over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) is internally consistent with the description: network-reachable, low complexity, no privileges, no user interaction, high confidentiality impact only (no integrity or availability impact, consistent with a read-oriented data-extraction SQLi). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP POST request to the plugin's staff-assignment handler with SQL payload embedded in the 'store_service_date' field. Because stripslashes_deep() removes escaping and the value is concatenated into a LIKE clause, the appended query executes, returning contents of tables such as wp_users, allowing the attacker to exfiltrate password hashes, email addresses, and other sensitive data. … |
| Remediation | No vendor-released patch version was identified in the provided data, so upgrade to the first release after 5.7.1 once the vendor publishes it and confirm the fix via the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/1663be8e-a6b8-4e0d-97d0-af7db2a2875c?source=cve). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations running BookingPress Pro and identify affected versions; assess what customer data flows through the booking system. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40912
GHSA-6qfc-c5qp-6g6q