Description

WordPress Plugin Pinpoint Booking System (+WooCommerce) is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Plugin Pinpoint Booking System (+WooCommerce) version 1.2 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.3 or latest

References

http://seclists.org/bugtraq/2014/May/117

http://www.intelligentexploit.com/view-details.html?id=19179

http://packetstormsecurity.com/files/126762/WordPress-Booking-System-SQL-Injection.html

http://www.securityfocus.com/archive/1/532168

http://secunia.com/advisories/58895/

Related Vulnerabilities

WordPress Plugin WebP Converter for Media Cross-Site Request Forgery (1.0.2)

Joomla! Core 3.x.x Directory Traversal (3.0.0 - 3.9.24)

WordPress Plugin Appointment Hour Booking-WordPress Booking Cross-Site Scripting (1.3.16)

MediaWiki remote code execution

WordPress Plugin Powie's WHOIS Domain Check Cross-Site Scripting (0.9.31)

Severity

High

Classification

CVE-2014-3210 CWE-89 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Tags

Missing Update SQL Injection