Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total8
Critical2
High4
Medium2
Reset
Showing 1-8 of 8 records
Threat Entry Updated 2024-12-24

CVE-2024-11726 - Bookingpress Plugin

The Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to SQL Injection via the 'category' parameter of the 'bookingpress_form' shortcode in all versions up to, and including, 1.1.21 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Bookingpress

CVE-2024-11726

MEDIUM CVSS 6.5 2024-12-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-04

CVE-2024-10540 - Bookingpress Plugin

The Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to SQL Injection via the 'service' parameter of the bookingpress_form shortcode in all versions up to, and including, 1.1.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Bookingpress

CVE-2024-10540

MEDIUM CVSS 5.3 2024-11-02
Open Full Technical Breakdown
Threat Entry Updated 2024-08-08

CVE-2024-7350 - Bookingpress Plugin

The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. This is only exploitable when the 'Auto login user after successful booking' setting is enabled.

PLUGIN Bookingpress

CVE-2024-7350

CRITICAL CVSS 9.8 2024-08-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6660 - Bookingpress Plugin

The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpress_import_data_continue_process_func function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site and upload arbitrary files. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain…

PLUGIN Bookingpress

CVE-2024-6660

HIGH CVSS 8.8 2024-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6467 - Bookingpress Plugin

The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to Arbitrary File Read to Arbitrary File Creation in all versions up to, and including, 1.1.5 via the 'bookingpress_save_lite_wizard_settings_func' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary files that contain the content of files on the server, allowing the execution of any PHP code in those files or the exposure of sensitive information.

PLUGIN Bookingpress

CVE-2024-6467

HIGH CVSS 8.8 2024-07-17
Open Full Technical Breakdown
Threat Entry Updated 2025-03-13

CVE-2024-3022 - Bookingpress Plugin

The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient filename validation in the 'bookingpress_process_upload' function in all versions up to, and including 1.0.87. This allows an authenticated attacker with administrator-level capabilities or higher to upload arbitrary files on the affected site's server, enabling remote code execution.

PLUGIN Bookingpress

CVE-2024-3022

HIGH CVSS 7.2 2024-04-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6219 - Bookingpress Plugin

The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'bookingpress_process_upload' function in versions up to, and including, 1.0.76. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Bookingpress

CVE-2023-6219

HIGH CVSS 7.2 2023-11-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0739 - Bookingpress Plugin

The BookingPress WordPress plugin before 1.0.11 fails to properly sanitize user supplied POST data before it is used in a dynamically constructed SQL query via the bookingpress_front_get_category_services AJAX action (available to unauthenticated users), leading to an unauthenticated SQL Injection

PLUGIN Bookingpress

CVE-2022-0739

CRITICAL CVSS 9.8 2022-03-21
Open Full Technical Breakdown
Scroll to top