The developers of the Booking Calendar WordPress plugin have released a patch that fixes an SQL injection vulnerability.
Booking Calendar is a plugin that enables online booking services for WordPress sites. Visitors can use the plugin to complete the process of making a booking, which includes selecting days on a calendar, filling in HTML text fields, and submitting a form.
As of this writing, there are more than 30,000 active installations of Booking Calendar.
Those behind the Dutch security project Summer of Pwnage came across the flaw at a community hacker event during the month of July. The Amsterdam-based collaboration effort centred around security research on open source software (OSS), in particular WordPress.
As the researchers explain in a blog post:
"An SQL injection vulnerability exists in the Booking Calendar WordPress plugin. This vulnerability allows an attacker to view data from the database. The affected parameter is not properly sanitised or protected with an anti-Cross-Site Request Forgery token. Consequently, it can also be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement)."
Summer of Pwnage spotted the vulnerability in the wpdev_get_args_from_request_in_bk_listing() function from booking/lib/wpdev-bk-lib.php (line 709). By using the Booking ID field, they determined that individuals with the 'Editor' role could access the vulnerable parameter and, in turn, view all data from the database.
For proof of concept code that demonstrates how an attacker could exploit the vulnerability, please see the researchers' blog post.
Booking Calendar has fixed the issue in version 6.2.1 of their plugin. All users are urged to upgrade to that version as soon as possible here.
News of this patch follows a few weeks after the developers of the All in One SEO Pack WordPress plugin patched a vulnerability that allowed for persistent cross-site scripting (XSS).