Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-exploitable via admin web interface; PR:L reflects mandatory mpa_appointment_employee role; read-only SQLi yields C:H with no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the mpa_appointment_employee custom role, meaning any user assigned this role can perform the attack.
AnalysisAI
SQL Injection in the MotoPress Appointment Booking WordPress plugin (versions ≤ 2.4.5) allows authenticated attackers holding the mpa_appointment_employee custom role to append arbitrary SQL to booking search queries via the 's' parameter, enabling full read access to the underlying WordPress database. The vulnerability originates in ManageBookingsPage.php at two separate query-construction points (lines 247 and 310), where user-supplied input is neither escaped nor parameterized. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account with the mpa_appointment_employee custom role assigned - this role is specific to the MotoPress Appointment Booking plugin and is not present in default WordPress installations; it must be explicitly granted by a site administrator. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) correctly captures a high-confidentiality, network-exploitable flaw requiring low privilege. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has been legitimately assigned - or has compromised credentials for - the mpa_appointment_employee role logs into the WordPress admin panel, navigates to the booking management page, and submits a crafted search string in the 's' parameter (e.g., appending UNION SELECT statements) to retrieve WordPress user password hashes, email addresses, or other sensitive data from the database. The attack requires no special tooling beyond a web browser or curl, as the injection point is a standard HTTP GET or POST parameter in a predictable admin endpoint. |
| Remediation | An upstream fix has been committed to the plugin trunk via WordPress plugin repository changeset 3591693 (https://plugins.trac.wordpress.org/changeset/3591693/motopress-appointment-lite/trunk/includes/admin-pages/manage/ManageBookingsPage.php); however, an exact released patched version number is not independently confirmed in the available data - administrators should update to the latest available version via the WordPress plugin dashboard and verify the changelog for a post-2.4.5 release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40938
GHSA-5rm9-ph95-q938