Impact
The BookingPress Appointment Booking Pro plugin for WordPress contains an unauthenticated SQL injection flaw in its bpa_assign_staffmember_to_slots() function. The vulnerability arises from the explicit use of stripslashes_deep() on the 'store_service_date' POST parameter, which is then incorporated verbatim into a SQL LIKE clause without any parameterization or sanitization. This permits an attacker to append additional SQL statements, enabling unauthorized extraction of sensitive database information.
Affected Systems
Repute Infosystems sells the BookingPress Appointment Booking Pro plugin. Versions up to and including 5.7.1 are affected; newer releases (5.7.2 and later) contain the fix. The flaw is confined to the WordPress plugin’s staff‑member assignment functionality.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity, and the unbounded, unauthenticated attack vector raises the risk of exploitation. Because the flaw allows arbitrary SQL queries to be executed, the attacker can potentially retrieve arbitrary data from the database. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, but the lack of authentication requirements and the high CVSS still make this a critical risk for any publicly accessible WordPress deployment that uses the affected plugin.
OpenCVE Enrichment