CVE-2026-11823

WordPress · BookingPress Appointment Booking Pro

The BookingPress Appointment Booking Pro plugin for WordPress is susceptible to SQL injection via the 'store_service_date' parameter within the bpa_assign_staffmember_to_slots() function.

Executive summary

A SQL injection vulnerability in the BookingPress Appointment Booking Pro plugin allows attackers to manipulate database queries and potentially compromise sensitive site data.

Vulnerability

The vulnerability stems from improper sanitization of the store_service_date parameter in the bpa_assign_staffmember_to_slots() function. This allows an attacker to inject arbitrary SQL commands, which are then executed by the underlying database.

Business impact

With a CVSS score of 7.5, this high-severity flaw represents a significant risk to the confidentiality and integrity of the database. Successful exploitation could allow an attacker to dump sensitive customer information, modify appointment records, or, in some configurations, execute administrative actions on the database, leading to potential regulatory non-compliance.

Remediation

Immediate Action: Update the BookingPress Appointment Booking Pro plugin to the latest available version provided by the developer.

Proactive Monitoring: Review database error logs and query logs for unusual syntax or signs of SQL injection attempts, such as unexpected character sequences.

Compensating Controls: Deploy a Web Application Firewall (WAF) configured to detect and block common SQL injection patterns targeting WordPress plugins.

Exploitation status

Public Exploit Available: false

Analyst recommendation

SQL injection remains a primary vector for data breaches. It is highly recommended that users of BookingPress update their software immediately to neutralize this threat. Furthermore, ensure that the database user account associated with the WordPress installation adheres to the principle of least privilege to limit the scope of potential database-level damage.