CVE-2018-20556
Description
SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in WordPress Booking Calendar 8.4.3 allows authenticated attackers to execute arbitrary SQL via the booking_id parameter.
Vulnerability
The WordPress Booking Calendar plugin (by oplugins) version 8.4.3 (and possibly older versions) contains an authenticated SQL injection vulnerability in the booking_id parameter. The parameter is used in POST requests for actions such as deleting or restoring bookings, and it is not properly sanitized before being used in SQL queries. The vulnerability is present in the plugin's control panel interface when an authenticated user interacts with booking entries.
Exploitation
An attacker must have valid WordPress credentials (at least subscriber or higher role) to access the WordPress admin panel. The following steps are required:
- Log in to WordPress and navigate to the Booking Calendar plugin page.
- Select any existing booking entry and click the 'Trash Can' button to trigger a delete action.
- Use a proxy (e.g., Burp Suite) to capture the resulting POST request.
- Identify the
booking_idparameter in the request body. - Append a malicious SQL payload after the numeric ID. For example, injecting
) AND SLEEP(100) AND (1=1causes a time-based delay, confirming SQL injection.
The parameter is vulnerable to boolean-based, error-based, and time-based injection. Tools like sqlmap can automate exploitation to extract data or obtain an OS shell.
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary SQL commands, leading to:
- Reading arbitrary data from the WordPress database (e.g., usernames, password hashes, user metadata).
- Potentially escalating to remote code execution if the database user has file write privileges (e.g., writing a webshell via
INTO OUTFILEor usingsqlmap --os-shell). - Full compromise of the WordPress site, including privilege escalation and data exfiltration.
Mitigation
As of the available references, the vendor (oplugins) has not released a patched version specifically addressing CVE-2018-20556. The affected version is 8.4.3, and users should upgrade to the latest version of the Booking Calendar plugin if a fix has been silently applied in later releases. If no update is available, administrators should restrict access to the WordPress admin panel to trusted users only, or disable the plugin until a patch is confirmed. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog (as of the publication date).
[1][2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 8.4.3
- Range: =8.4.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `booking_id` parameter allows SQL injection."
Attack vector
An attacker must first authenticate to the WordPress control panel [ref_id=1][ref_id=2]. From the Booking Calendar admin page, the attacker selects a booking entry and clicks the "Trash Can" button to delete it. The resulting POST request contains the `booking_id` parameter, which is vulnerable to SQL injection. By appending a payload such as `) AND SLEEP(100) AND (1=1` to the booking ID value, the attacker can perform boolean-based blind, error-based, or time-based SQL injection to extract arbitrary data from the database [ref_id=1][ref_id=2].
Affected code
The vulnerability resides in the `booking_id` parameter processed by the Booking Calendar plugin when handling the `TRASH_RESTORE` action. The specific file and function are not identified in the advisory, but the parameter is passed unsanitized into SQL queries [ref_id=1][ref_id=2].
What the fix does
No patch is provided in the advisory. The remediation guidance recommends uninstalling the plugin until the developer releases a fix [ref_id=2]. The advisory does not specify whether a patch was ever published.
Preconditions
- authAttacker must have valid WordPress admin panel credentials
- configThe Booking Calendar plugin version 8.4.3 (or possibly older versions) must be installed and active
Reproduction
1. Log in to the WordPress control panel. 2. Navigate to the Booking Calendar plugin page. 3. Set up Burp Suite to capture traffic. 4. Select a booking entry and click the "Trash Can" button to delete it. 5. In Burp Suite, identify the `booking_id` parameter in the POST request. 6. Append a SQL injection payload such as `) AND SLEEP(100) AND (1=1` after the ID value. Example: `action=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67` [ref_id=1][ref_id=2].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.exploit-db.com/exploits/46377/mitreexploitx_refsource_EXPLOIT-DB
- packetstormsecurity.com/files/151692/WordPress-Booking-Calendar-8.4.3-SQL-Injection.htmlmitrex_refsource_MISC
- gist.github.com/B0UG/a750c2c204825453e6faf898ea6d09f6mitrex_refsource_MISC
- vulners.com/exploitdb/EDB-ID:46377mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.