CVE-2026-15289 in Booking Calendar Appointment Booking System Plugin
Summary
by MITRE • 07/10/2026
The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpdevart_id’ parameter in all versions up to, and including, 3.2.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. In order to exploit the vulnerability, the Pro version of the plugin must be installed and activated, with the 'Delete previous dates' option checked.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The Booking calendar Appointment Booking System plugin for WordPress presents a critical time-based sql injection vulnerability affecting versions up to and including 3217. This weakness originates from inadequate input sanitization of the wpdevart_id parameter within the plugin's database interactions. The vulnerability specifically manifests when the pro version is active with the delete previous dates functionality enabled, creating a persistent attack vector that requires no authentication credentials from malicious actors. The flaw resides in the plugin's failure to properly escape user-supplied parameters before incorporating them into sql queries, allowing attackers to manipulate existing query structures through carefully crafted input sequences. This vulnerability directly maps to cwe-89 sql injection and aligns with att&ck technique t1190 for exploitation of web applications through sql injection attacks.
The technical implementation of this vulnerability demonstrates how insufficient parameter preparation creates opportunities for attackers to execute arbitrary sql commands against the underlying database system. When the wpdevart_id parameter is processed without proper escaping mechanisms, an attacker can inject additional sql syntax that will be interpreted by the database engine during query execution. The time-based nature of this injection means that attackers can extract data through response timing variations rather than direct data retrieval methods, making detection more challenging while still enabling comprehensive information extraction from vulnerable systems. The requirement for the pro version with delete previous dates activated suggests that specific feature combinations within the plugin create particularly vulnerable code paths.
The operational impact of this vulnerability extends beyond simple data theft to encompass potential system compromise and unauthorized access to sensitive user information. Attackers can leverage this vulnerability to extract database credentials, user account details, and other confidential information stored within the wordpress installation's database structure. The fact that exploitation requires only unauthenticated access makes this particularly dangerous for publicly accessible websites running vulnerable plugin versions. Security researchers have identified that this weakness creates opportunities for attackers to escalate privileges, modify database content, or potentially establish persistent access points within affected systems. The vulnerability affects not just individual user data but could compromise entire wordpress installations where the plugin is deployed.
Mitigation strategies must address both immediate remediation and long-term security hardening measures for affected systems. The primary recommendation involves upgrading to the latest plugin version where this vulnerability has been patched, as vendors typically release security updates to address known weaknesses. Additionally, implementing proper input validation and parameterized queries within the plugin's codebase would prevent similar issues from occurring in future deployments. Database administrators should consider implementing web application firewalls that can detect and block suspicious sql injection patterns targeting known vulnerable parameters. The vulnerability also highlights the importance of disabling unnecessary features and conducting regular security audits of third-party plugins to identify potential attack vectors before they can be exploited by malicious actors. Organizations should follow att&ck framework recommendations for defensive measures including network segmentation, database access controls, and monitoring for unusual query execution patterns that may indicate sql injection attempts.