CVE-2026-15335
Masaaki Tanaka · Booking Package
The Booking Package plugin for WordPress is vulnerable to SQL Injection via the 'email' form parameter, allowing unauthenticated attackers to query the database.
Executive summary
The Booking Package plugin for WordPress contains an unauthenticated SQL injection vulnerability that could allow attackers to extract sensitive information from the underlying database.
Vulnerability
The plugin fails to properly sanitize the 'email' parameter in form submissions. This allows an unauthenticated attacker to inject malicious SQL commands, leading to unauthorized database access.
Business impact
This vulnerability carries a CVSS score of 7.5, indicating a high-risk scenario. Successful exploitation could result in the exfiltration of sensitive customer data or administrative credentials stored within the WordPress database, leading to significant reputational damage and potential regulatory non-compliance.
Remediation
Immediate Action: Update the Booking Package plugin to the latest version available from the vendor repository.
Proactive Monitoring: Review database query logs for anomalous patterns or unexpected syntax that may indicate automated SQL injection attempts.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block common SQL injection patterns in HTTP request parameters.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The severity of this flaw necessitates immediate attention. Administrators should verify their current version of Booking Package and apply the latest update provided by the developer to eliminate the injection vector.