CVE-2024-1207 in WP Booking Calendar Plugin
Summary
by MITRE • 02/08/2024
The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2026
The WP Booking Calendar plugin presents a critical SQL injection vulnerability that affects all versions up to and including 9.9, creating a significant security risk for WordPress installations. This vulnerability stems from inadequate input sanitization and improper parameter handling within the plugin's codebase, specifically targeting the 'calendar_request_params[dates_ddmmyy_csv]' parameter. The flaw allows attackers to manipulate database queries through crafted input, potentially compromising the entire WordPress environment and its underlying data repositories.
The technical implementation of this vulnerability occurs when user-supplied data enters the SQL query execution path without proper escaping or parameterization. Attackers can exploit this weakness by injecting malicious SQL constructs into the dates_ddmmyy_csv parameter, which then gets incorporated into existing database queries. This lack of input validation creates a direct pathway for attackers to manipulate the intended query execution flow, enabling them to extract sensitive information from the database through carefully crafted injection payloads. The vulnerability operates at the database interaction layer, where the plugin fails to properly separate user input from SQL command structure.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with the capability to perform unauthorized database operations including data extraction, modification, or deletion. Unauthenticated attackers can leverage this weakness to gain access to confidential information stored within the WordPress database, potentially including user credentials, booking details, and other sensitive operational data. The vulnerability's persistence across multiple versions indicates a fundamental flaw in the plugin's architecture that requires immediate attention and remediation to prevent exploitation.
Mitigation strategies should focus on immediate patching of the affected plugin versions, implementing proper input validation and parameterization techniques, and establishing network-level protections through firewalls and intrusion detection systems. Organizations should also consider implementing database query monitoring and access controls to limit the potential damage from successful exploitation attempts. The vulnerability aligns with CWE-89 which specifically addresses SQL injection flaws, and represents a technique commonly catalogued in ATT&CK framework under T1190 for exploiting vulnerabilities in web applications. Regular security audits and input validation testing should be implemented to prevent similar issues in other components of the WordPress ecosystem.