CVE-2026-11823
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
The BookingPress Appointment Booking Pro plugin for WordPress up to version 5.7.1 is vulnerable to SQL Injection via the 'store_service_date' parameter in the bpa_assign_staffmember_to_slots() function. This is due to the use of stripslashes_deep() on POST data without using $wpdb->prepare(), allowing unauthenticated attackers to append additional SQL queries.
Risk Assessment
An unauthenticated attacker can exploit this vulnerability to extract sensitive information from the database, such as user passwords, customer data, or API keys, leading to a breach of confidentiality and system integrity.
Recommendation
Immediately update the BookingPress Appointment Booking Pro plugin to the latest available version that fixes this vulnerability, and use parameterized SQL queries instead of directly interpolating user-supplied data.
Original NVD description (English source)
The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes_deep() on user-supplied POST data before it is interpolated verbatim into a SQL LIKE clause without use of $wpdb->prepare() or any parameterization. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

