{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/booking-package-plugin--1.7.20/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-15335"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Booking Package plugin \u003c= 1.7.20"],"_cs_severities":["high"],"_cs_tags":["wordpress","sqli","web-vulnerability","cms"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Booking Package plugin for WordPress, in all versions up to and including 1.7.20, is susceptible to an unauthenticated generic SQL Injection vulnerability, identified as CVE-2026-15335. This vulnerability resides in the \u003ccode\u003e/wp-json/booking-package/v1/request\u003c/code\u003e REST API endpoint, where the 'email' form parameter is processed with insufficient input sanitization and without the use of prepared statements. Consequently, attackers can inject arbitrary SQL queries into existing database queries, potentially leading to the extraction of sensitive information from the WordPress database. The endpoint's \u003ccode\u003epermission_callback: __return_true\u003c/code\u003e configuration and the lack of \u003ccode\u003ewp_magic_quotes\u003c/code\u003e for REST-sourced \u003ccode\u003e$_POST\u003c/code\u003e values mean that single quotes in an attacker's payload can reach the SQL sink intact, bypassing authentication. While the 'email' parameter is subject to \u003ccode\u003eis_email\u003c/code\u003e validation, an attacker could craft payloads that initially conform to an email format before breaking out to append malicious SQL queries.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress installation running the Booking Package plugin version 1.7.20 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request targeting the vulnerable REST API endpoint: \u003ccode\u003e/wp-json/booking-package/v1/request\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA malicious SQL injection payload is embedded within the 'email' form parameter in the body of the POST request, designed to bypass \u003ccode\u003eis_email\u003c/code\u003e validation and append further SQL queries (e.g., \u003ccode\u003etest@example.com' UNION SELECT ... --\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request is processed by the plugin, bypassing authentication due to the endpoint's permissive \u003ccode\u003epermission_callback\u003c/code\u003e setting.\u003c/li\u003e\n\u003cli\u003eThe lack of proper input escaping and prepared statements allows the injected SQL payload, including single quotes, to be interpreted as part of the database query.\u003c/li\u003e\n\u003cli\u003eThe appended malicious SQL queries execute on the underlying database, enabling the attacker to extract sensitive data.\u003c/li\u003e\n\u003cli\u003eThe sensitive information, such as user credentials, PII, or other critical database contents, is returned to the attacker within the HTTP response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15335 allows unauthenticated attackers to gain unauthorized access to sensitive information stored in the WordPress database. This could include user accounts, personal data, application configurations, or other critical business data. Although the 'email' parameter undergoes \u003ccode\u003eis_email\u003c/code\u003e validation, determined attackers can craft payloads to circumvent this, leading to data breaches. The broad usage of WordPress and the Booking Package plugin means a significant number of websites could be at risk if not updated promptly.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-15335 immediately by updating the Booking Package plugin for WordPress to a version greater than 1.7.20.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) to detect and block common SQL injection patterns, especially those targeting the \u003ccode\u003e/wp-json/booking-package/v1/request\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T05:18:38Z","date_published":"2026-07-11T05:18:38Z","id":"https://feed.craftedsignal.io/briefs/2026-07-booking-package-sqli/","summary":"The Booking Package plugin for WordPress is vulnerable to unauthenticated generic SQL Injection via the 'email' form parameter in versions up to and including 1.7.20, allowing attackers to extract sensitive information from the database.","title":"WordPress Booking Package Plugin Vulnerable to Unauthenticated SQL Injection","url":"https://feed.craftedsignal.io/briefs/2026-07-booking-package-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - Booking Package Plugin \u003c= 1.7.20","version":"https://jsonfeed.org/version/1.1"}