Motopress Appointment Booking
Monthly
Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.
SQL Injection in the MotoPress Appointment Booking WordPress plugin (versions ≤ 2.4.5) allows authenticated attackers holding the mpa_appointment_employee custom role to append arbitrary SQL to booking search queries via the 's' parameter, enabling full read access to the underlying WordPress database. The vulnerability originates in ManageBookingsPage.php at two separate query-construction points (lines 247 and 310), where user-supplied input is neither escaped nor parameterized. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS signal was not supplied; however, the Wordfence intelligence report and a confirmed upstream fix commit indicate the issue is credibly documented.
Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.
SQL Injection in the MotoPress Appointment Booking WordPress plugin (versions ≤ 2.4.5) allows authenticated attackers holding the mpa_appointment_employee custom role to append arbitrary SQL to booking search queries via the 's' parameter, enabling full read access to the underlying WordPress database. The vulnerability originates in ManageBookingsPage.php at two separate query-construction points (lines 247 and 310), where user-supplied input is neither escaped nor parameterized. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS signal was not supplied; however, the Wordfence intelligence report and a confirmed upstream fix commit indicate the issue is credibly documented.