CVE-2026-11823
Received Received - Intake

SQL Injection in BookingPress Appointment Booking Pro Plugin

Vulnerability report for CVE-2026-11823, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Wordfence

Description

The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes_deep() on user-supplied POST data before it is interpolated verbatim into a SQL LIKE clause without use of $wpdb->prepare() or any parameterization. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bookingpress appointment_booking_pro to 5.7.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to perform SQL Injection attacks that can extract sensitive information from the database.

Exposure of sensitive information due to this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and sensitive data.

Executive Summary

The BookingPress Appointment Booking Pro plugin for WordPress has a vulnerability known as SQL Injection in versions up to and including 5.7.1. This occurs through the 'store_service_date' parameter in the bpa_assign_staffmember_to_slots() function. The issue arises because user-supplied POST data is processed with stripslashes_deep() but then directly inserted into a SQL LIKE clause without proper preparation or parameterization. This allows attackers, even without authentication, to inject additional SQL queries into existing ones.

Impact Analysis

This vulnerability can allow unauthenticated attackers to extract sensitive information from the database by injecting malicious SQL queries. Since the attacker can append additional SQL commands, it can lead to unauthorized data disclosure, potentially exposing confidential user or business data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11823. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart