CVE-2026-15335

Masaaki Tanaka · Booking Package

The Booking Package plugin for WordPress is vulnerable to SQL Injection via the 'email' form parameter, allowing unauthenticated attackers to query the database.

Executive summary

The Booking Package plugin for WordPress contains an unauthenticated SQL injection vulnerability that could allow attackers to extract sensitive information from the underlying database.

Vulnerability

The plugin fails to properly sanitize the 'email' parameter in form submissions. This allows an unauthenticated attacker to inject malicious SQL commands, leading to unauthorized database access.

Business impact

This vulnerability carries a CVSS score of 7.5, indicating a high-risk scenario. Successful exploitation could result in the exfiltration of sensitive customer data or administrative credentials stored within the WordPress database, leading to significant reputational damage and potential regulatory non-compliance.

Remediation

Immediate Action: Update the Booking Package plugin to the latest version available from the vendor repository.

Proactive Monitoring: Review database query logs for anomalous patterns or unexpected syntax that may indicate automated SQL injection attempts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common SQL injection patterns in HTTP request parameters.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this flaw necessitates immediate attention. Administrators should verify their current version of Booking Package and apply the latest update provided by the developer to eliminate the injection vector.