Description
The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes_deep() on user-supplied POST data before it is interpolated verbatim into a SQL LIKE clause without use of $wpdb->prepare() or any parameterization. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-07-01
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The BookingPress Appointment Booking Pro plugin for WordPress contains an unauthenticated SQL injection flaw in its bpa_assign_staffmember_to_slots() function. The vulnerability arises from the explicit use of stripslashes_deep() on the 'store_service_date' POST parameter, which is then incorporated verbatim into a SQL LIKE clause without any parameterization or sanitization. This permits an attacker to append additional SQL statements, enabling unauthorized extraction of sensitive database information.

Affected Systems

Repute Infosystems sells the BookingPress Appointment Booking Pro plugin. Versions up to and including 5.7.1 are affected; newer releases (5.7.2 and later) contain the fix. The flaw is confined to the WordPress plugin’s staff‑member assignment functionality.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the unbounded, unauthenticated attack vector raises the risk of exploitation. Because the flaw allows arbitrary SQL queries to be executed, the attacker can potentially retrieve arbitrary data from the database. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, but the lack of authentication requirements and the high CVSS still make this a critical risk for any publicly accessible WordPress deployment that uses the affected plugin.

Generated by OpenCVE AI on July 1, 2026 at 08:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BookingPress Appointment Booking Pro to version 5.7.2 or later, which removes the unparameterized SQL usage.
  • If an upgrade cannot be performed immediately, disable or remove the 'store_service_date' parameter from incoming requests to the assign_staffmember_to_slots endpoint to prevent injection attempts.
  • Deploy a web‑application firewall or adjust server‑side request filtering to block malformed SQL payloads targeting the plugin’s input fields while a patch is applied.

Generated by OpenCVE AI on July 1, 2026 at 08:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Description The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes_deep() on user-supplied POST data before it is interpolated verbatim into a SQL LIKE clause without use of $wpdb->prepare() or any parameterization. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title BookingPress Appointment Booking Pro <= 5.7.1 - Unauthenticated SQL Injection via 'store_service_date' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T05:35:29.663Z

Reserved: 2026-06-09T18:11:40.111Z

Link: CVE-2026-11823

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T08:45:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')