Skip to main content

BookingPress Appointment Booking Pro EUVDEUVD-2026-40912

| CVE-2026-11823 HIGH
SQL Injection (CWE-89)
2026-07-01 Wordfence GHSA-6qfc-c5qp-6g6q
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network POST with no interaction (AV:N/AC:L/PR:N/UI:N); read-only data extraction gives C:H with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 07:15 vuln.today
CVE Published
Jul 01, 2026 - 05:35 cve.org
HIGH 7.5

DescriptionCVE.org

The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes_deep() on user-supplied POST data before it is interpolated verbatim into a SQL LIKE clause without use of $wpdb->prepare() or any parameterization. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

SQL injection in the BookingPress Appointment Booking Pro WordPress plugin (versions up to and including 5.7.1) allows unauthenticated attackers to inject SQL through the 'store_service_date' POST parameter of the bpa_assign_staffmember_to_slots() function, enabling extraction of sensitive database contents such as user credentials and PII. The flaw stems from stripslashes_deep() being applied to user input before it is concatenated directly into a LIKE clause without $wpdb->prepare(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running BookingPress ≤5.7.1
Delivery
Craft POST to bpa_assign_staffmember_to_slots endpoint
Exploit
Inject SQL via store_service_date LIKE clause
Execution
Append UNION subquery to running query
Impact
Extract wp_users credentials and PII

Vulnerability AssessmentAI

Exploitation Exploitation requires only that a target WordPress site have BookingPress Appointment Booking Pro version 5.7.1 or earlier installed and active, with the AJAX endpoint invoking bpa_assign_staffmember_to_slots() reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) is internally consistent with the description: network-reachable, low complexity, no privileges, no user interaction, high confidentiality impact only (no integrity or availability impact, consistent with a read-oriented data-extraction SQLi). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP POST request to the plugin's staff-assignment handler with SQL payload embedded in the 'store_service_date' field. Because stripslashes_deep() removes escaping and the value is concatenated into a LIKE clause, the appended query executes, returning contents of tables such as wp_users, allowing the attacker to exfiltrate password hashes, email addresses, and other sensitive data. …
Remediation No vendor-released patch version was identified in the provided data, so upgrade to the first release after 5.7.1 once the vendor publishes it and confirm the fix via the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/1663be8e-a6b8-4e0d-97d0-af7db2a2875c?source=cve). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations running BookingPress Pro and identify affected versions; assess what customer data flows through the booking system. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40912 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy