{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32358", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:53.773Z", "datePublished": "2026-03-13T11:42:03.699Z", "dateUpdated": "2026-04-29T09:51:57.850Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "booking", "product": "Booking Calendar", "vendor": "wpdevelop", "versions": [{"changes": [{"at": "10.14.16", "status": "unaffected"}], "lessThanOrEqual": "10.14.15", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "mcdruid | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:40.957Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevelop Booking Calendar booking allows Blind SQL Injection.<p>This issue affects Booking Calendar: from n/a through <= 10.14.15.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevelop Booking Calendar booking allows Blind SQL Injection.This issue affects Booking Calendar: from n/a through <= 10.14.15."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.850Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/booking/vulnerability/wordpress-booking-calendar-plugin-10-14-15-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Booking Calendar plugin <= 10.14.15 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T19:29:58.978318Z", "id": "CVE-2026-32358", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:30:13.444Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32358", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:53.773Z", "datePublished": "2026-03-13T11:42:03.699Z", "dateUpdated": "2026-03-13T19:30:13.444Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "booking", "product": "Booking Calendar", "vendor": "wpdevelop", "versions": [{"changes": [{"at": "10.14.16", "status": "unaffected"}], "lessThanOrEqual": "<= 10.14.15", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "mcdruid | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-13T12:41:26.872Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevelop Booking Calendar booking allows Blind SQL Injection.<p>This issue affects Booking Calendar: from n/a through <= 10.14.15.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevelop Booking Calendar booking allows Blind SQL Injection.This issue affects Booking Calendar: from n/a through <= 10.14.15."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:03.699Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/booking/vulnerability/wordpress-booking-calendar-plugin-10-14-15-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Booking Calendar plugin <= 10.14.15 - SQL Injection vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32358", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T19:29:58.978318Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:30:10.158Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevelop Booking Calendar booking allows Blind SQL Injection.This issue affects Booking Calendar: from n/a through <= 10.14.15."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') vulnerabilidad en la reserva de Booking Calendar de wpdevelop permite Inyecci\u00f3n SQL Ciega. Este problema afecta a Booking Calendar: desde n/a hasta &lt;= 10.14.15."}], "id": "CVE-2026-32358", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:49.470", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/booking/vulnerability/wordpress-booking-calendar-plugin-10-14-15-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,10.14.15]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "10.14.16"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Booking Calendar", "source": "cna", "vendor": "wpdevelop"}, "product": "booking_calendar", "vendor": "wpdevelop"}], "analysis": {"en": {"generated_at": "2026-03-19T16:37:47.051457+00:00", "value": {"mitigation_remediation": ["Update the Booking Calendar plugin to a version newer than 10.14.15 to eliminate the vulnerability.", "If an update cannot be applied immediately, disable or uninstall the plugin to remove the attack surface.", "Restrict database user privileges used by WordPress to only the permissions required for normal operation.", "Monitor database logs for unusual queries or repeated failed attempts that may indicate probing or exploitation.", "Deploy a web application firewall or input validation plugin to detect and block suspicious SQL parameters related to booking requests."], "summary": {"action": "Patch Now", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the wpdevelop Booking Calendar plugin version 10.14.15 or earlier are affected. The issue applies to any installation of the plugin with a version up to and including 10.14.15, as indicated by the vendor impact statement.", "description_and_impact": "The Booking Calendar plugin for WordPress has a flaw that causes improper neutralization of special elements in SQL commands, enabling blind SQL injection. The vulnerability is classified as CWE\u201189 and permits an attacker to send crafted requests that trick the application into executing arbitrary SQL statements against the site's database, potentially exposing sensitive data or modifying or deleting records.", "risk_and_exploitability": "The CVSS base score of 7.6 indicates a high severity impact, while the EPSS score of less than 1% suggests a low current likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is remote, requiring access to publicly exposed booking pages or API endpoints that accept user input. Exploitation would involve sending multiple crafted requests to infer database schema or data through timing or result-based responses, granting the attacker unauthorized access to the database content and the potential to alter or delete stored data."}}}}, "created": "2026-03-16T09:34:49.235249+00:00", "updated": "2026-03-23T09:58:59.033832+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdevelop", "wpdevelop$PRODUCT$booking_calendar"]}