Back to overview

CVE-2026-11823

HIGH
7.5
CVSS 3.1
Description
The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes_deep() on user-supplied POST data before it is interpolated verbatim into a SQL LIKE clause without use of $wpdb->prepare() or any parameterization. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Metadata

CVE ID
CVE-2026-11823
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-06-09 18:11 UTC
Published
2026-07-01 05:35 UTC
Last updated
2026-07-01 10:42 UTC
Primary CWE
CWE-89
CWE-89 Improper Neutralization of Special Elements used in a…
Vendor / Product
Repute Infosystems / BookingPress Appointment Booking Pro
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Repute Infosystems BookingPress Appointment Booking Pro 0 ≤ 5.7.1
Weakness (CWE)
CWESourceDescription
CWE-89 cna CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Back to overview