CVE-2026-15335
Received Received - Intake

SQL Injection in WordPress Booking Package Plugin

Vulnerability report for CVE-2026-15335, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Wordfence

Description

The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (form<N>) in all versions up to, and including, 1.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerable REST API endpoint /wp-json/booking-package/v1/request is registered with permission_callback: __return_true and wp_magic_quotes does not apply to REST-sourced $_POST values, meaning single quotes in the payload reach the SQL sink intact without any authentication requirement. The impact of this is severely limited as the vulnerable parameter goes through is_email.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
booking_package booking_package to 1.7.20 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to perform SQL Injection attacks that can extract sensitive information from the database.

Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, this vulnerability potentially compromises compliance with these common standards and regulations by exposing sensitive data to attackers.

Executive Summary

The Booking Package plugin for WordPress has a generic SQL Injection vulnerability in the 'email' form parameter in all versions up to and including 1.7.20. This occurs because the plugin does not properly escape user-supplied input and does not sufficiently prepare the SQL query. As a result, unauthenticated attackers can inject additional SQL queries through the vulnerable REST API endpoint, potentially extracting sensitive information from the database.

The vulnerability is worsened by the fact that the REST API endpoint /wp-json/booking-package/v1/request is registered with a permission callback that always returns true, allowing anyone to send requests without authentication. Additionally, the usual WordPress magic quotes protection does not apply to REST-sourced POST values, so single quotes in the payload remain intact and reach the SQL query.

However, the impact is somewhat limited because the vulnerable parameter is filtered through the is_email function, which restricts the input to valid email formats.

Impact Analysis

This vulnerability can allow unauthenticated attackers to perform SQL Injection attacks, enabling them to extract sensitive information from the website's database. This could include user data or other confidential information stored within the database.

Since the vulnerability does not allow modification or deletion of data (as indicated by the CVSS vector showing no integrity or availability impact), the main risk is unauthorized disclosure of sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15335. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart