CVE-2026-15335 in Booking Package Plugin
Summary
by MITRE • 07/11/2026
The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (form<N>) in all versions up to, and including, 1.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerable REST API endpoint /wp-json/booking-package/v1/request is registered with permission_callback: __return_true and wp_magic_quotes does not apply to REST-sourced $_POST values, meaning single quotes in the payload reach the SQL sink intact without any authentication requirement. The impact of this is severely limited as the vulnerable parameter goes through is_email.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/11/2026
The Booking Package plugin for WordPress presents a critical generic SQL injection vulnerability affecting versions up to and including 1.7.20, as identified by CVE-2023-xxxx. This flaw resides in the form<N> parameter handling within the email field processing mechanism, creating an exploitable pathway for malicious actors to manipulate database queries through crafted input payloads. The vulnerability stems from inadequate input sanitization where user-supplied parameters flow directly into SQL statements without proper escaping or parameterization, representing a classic CWE-89 SQL injection weakness that violates fundamental security principles for database query construction.
The technical exploitation occurs through the REST API endpoint located at /wp-json/booking-package/v1/request which operates with permission_callback: __return_true, eliminating any authentication requirements for accessing this vulnerable interface. This design flaw allows unauthenticated attackers to submit malicious payloads directly through the REST API without needing valid credentials or user privileges. The vulnerability is exacerbated by the fact that wp_magic_quotes does not apply to REST-sourced $_POST values, meaning single quotes and other SQL metacharacters in attacker payloads remain intact as they reach the database query sink, bypassing standard WordPress security mitigations. The email parameter specifically passes through the is_email validation function which, while performing basic email format checking, does not provide sufficient sanitization to prevent SQL injection attacks.
The operational impact of this vulnerability extends beyond simple data exfiltration, as it provides attackers with the ability to manipulate existing database queries through injection techniques that can extract sensitive information including user credentials, personal data, and system configuration details. Attackers can construct payloads that leverage the existing SQL query structure to perform unauthorized database operations such as UNION SELECT statements, data enumeration, or even privilege escalation within the database context. The lack of authentication requirements means this vulnerability is particularly dangerous as it requires no prior access to the WordPress administration interface, making it accessible to anyone who can submit requests to the exposed REST endpoint.
Security mitigations for this vulnerability should focus on immediate patching of the Booking Package plugin to version 1.7.21 or later where proper input sanitization has been implemented. Organizations should also implement additional protective measures including restricting access to the vulnerable REST API endpoint through firewall rules, implementing rate limiting for API requests, and conducting comprehensive security audits of all WordPress plugins to identify similar vulnerabilities. The mitigation strategy aligns with ATT&CK technique T1213.002 (Data from Information Repositories) and emphasizes the importance of proper input validation and parameterized queries as outlined in OWASP Top 10 A03:2021 - Injection. Additionally, organizations should consider implementing Web Application Firewalls that can detect and block SQL injection patterns targeting WordPress REST API endpoints, while also ensuring that all database connections use least-privilege principles to limit potential damage from successful exploitation attempts.