Impact
The MotoPress Appointment Booking plugin for WordPress contains a generic SQL Injection flaw in the 's' parameter used by the admin booking page. Unsanitized user input is directly concatenated into an existing SQL query, allowing an attacker to append additional statements. An authenticated user possessing the custom "mpa_appointment_employee" role can exploit this weakness to read or modify data stored in the underlying database, thereby compromising database confidentiality and integrity. The impact is limited to the database contents of the affected WordPress installation and does not provide broader system compromise without additional misconfigurations.
Affected Systems
All installations of MotoPress Appointment Booking version 2.4.5 or earlier, running on WordPress, are vulnerable. The flaw is triggered through the admin interface whenever a user with the "mpa_appointment_employee" role or higher accesses the bookings page. Versions 2.4.6 and newer have the exploitation vector removed.
Risk and Exploitability
With a CVSS score of 6.5, the vulnerability is considered moderate severity. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, indicating limited publicly known exploitation attempts at this time. Attackers would need to log into the WordPress admin area and possess the appropriate staff role to craft malicious requests that exploit the 's' parameter. The vulnerability primarily allows information disclosure and data manipulation within the database and could be used to facilitate further attacks depending on the application’s role permissions and database access controls.
OpenCVE Enrichment