Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shiptrack Booking Calendar and Notification booking-calendar-and-notification allows Blind SQL Injection.This issue affects Booking Calendar and Notification: from n/a through <= 4.0.3.
Published: 2025-04-04
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements in the SQL command used by the Booking Calendar and Notification plugin allows an attacker to perform blind SQL injection. This flaw can enable execution of arbitrary queries against the plugin’s database, potentially exposing, altering, or destroying data stored by the plugin.

Affected Systems

WordPress sites that use the shiptrack Booking Calendar and Notification plugin, any version up through 4.0.3, are affected. The plugin is distributed as a WordPress plugin and is installed on the site’s web server, so anyone able to reach the plugin’s entry points could exploit it.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, but the EPSS score of less than 1% suggests that, at present, real‑world exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is a web request to the plugin’s endpoints, meaning remote attackers could trigger the blind injection without authentication if the plugin does not enforce proper access control.

Generated by OpenCVE AI on May 2, 2026 at 02:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Booking Calendar and Notification plugin to the latest stable release that addresses the CWE-89 SQL injection flaw.
  • If an immediate update is not possible, disable or remove the plugin until a safe version is available.
  • Reduce the privileges of the database user that WordPress uses for the plugin to limit the damage a blind injection could cause.
  • Consider deploying a web application firewall or rate limiting to detect and block anomalous SQL query patterns.

Generated by OpenCVE AI on May 2, 2026 at 02:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9750 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shiptrack Booking Calendar and Notification allows Blind SQL Injection.This issue affects Booking Calendar and Notification: from n/a through 4.0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shiptrack Booking Calendar and Notification allows Blind SQL Injection.This issue affects Booking Calendar and Notification: from n/a through 4.0.3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shiptrack Booking Calendar and Notification booking-calendar-and-notification allows Blind SQL Injection.This issue affects Booking Calendar and Notification: from n/a through <= 4.0.3.
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Fri, 04 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shiptrack Booking Calendar and Notification allows Blind SQL Injection.This issue affects Booking Calendar and Notification: from n/a through 4.0.3.
Title WordPress Booking Calendar and Notification plugin <= 4.0.3 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:04:29.105Z

Reserved: 2025-03-28T10:59:36.420Z

Link: CVE-2025-31403

cve-icon Vulnrichment

Updated: 2025-04-04T14:27:36.336Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T14:15:23.090

Modified: 2026-04-23T15:27:45.850

Link: CVE-2025-31403

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:45:32Z

Weaknesses