WP Booking Calendar Vulnerability- Unauthenticated SQL Injection – CVE-2024-1207 | WordPress Plugin Vulnerability Report

Plugin Name: WP Booking Calendar

Key Information:

  • Software Type: Plugin
  • Software Slug: booking
  • Software Status: Active
  • Software Author: wpdevelop
  • Software Downloads: 3,262,200
  • Active Installs: 60,000
  • Last Updated: February 12, 2024
  • Patched Versions: 9.9.1
  • Affected Versions: <= 9.9

Vulnerability Details:

  • Name: Booking Calendar <= 9.9
  • Title: Unauthenticated SQL Injection
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2024-1207
  • CVSS Score: 9.8
  • Publicly Published: February 7, 2024
  • Last Updated: February 8, 2024
  • Researcher: Muhammad Hassham Nagori - IKZERO
  • Description: The WP Booking Calendar plugin for WordPress is vulnerable to an SQL Injection attack through the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9. The vulnerability stems from insufficient input sanitization and inadequate SQL query preparation, allowing unauthenticated attackers to inject malicious SQL queries to extract sensitive information from the database.


The WP Booking Calendar, a widely utilized scheduling plugin for WordPress, contains a critical vulnerability in versions up to and including 9.9. This flaw permits unauthenticated SQL Injection, posing a severe security risk as attackers can gain unauthorized access to sensitive data. The issue has been resolved in the latest version, 9.9.1, ensuring the plugin's security against this particular vector of attack.

Detailed Overview:

Discovered by security researcher Muhammad Hassham Nagori, this severe vulnerability exposes websites to potential data breaches. SQL Injection attacks can compromise a website's database, leading to the unauthorized retrieval, manipulation, or destruction of data. The high CVSS score of 9.8 reflects the severity and potential impact of this vulnerability. The developers have addressed this critical issue in the patched version 9.9.1 by implementing proper input validation and query preparation techniques, effectively mitigating the risk of SQL Injection.

Advice for Users:

Immediate Action: Users of the WP Booking Calendar should immediately update to the patched version 9.9.1 to protect their websites from potential exploitation. Check for Signs of Vulnerability: Website administrators are encouraged to review their site logs for unusual or unauthorized database queries, which may indicate past exploitation attempts. Alternate Plugins: While the vulnerability has been addressed, users may consider evaluating other booking and scheduling plugins for their websites as part of a broader security strategy. Stay Updated: It is crucial to regularly update all WordPress plugins, themes, and the core software to protect against known vulnerabilities and ensure the security and functionality of your website.


The swift action taken by the WP Booking Calendar developers to patch the unauthenticated SQL Injection vulnerability underscores the critical importance of maintaining up-to-date software on your WordPress site. By updating to version 9.9.1, users can safeguard their sites against this and other potential security threats, reinforcing the security of their online presence.


In the vast digital landscape where websites are the cornerstone of businesses and personal brands, the security of these online portals is paramount. The recent revelation of a critical vulnerability within the WP Booking Calendar plugin, known as CVE-2024-1207, serves as a stark reminder of the perpetual vigilance required in the realm of website security. This essential plugin, cherished by thousands for its robust scheduling features, has fallen prey to an Unauthenticated SQL Injection vulnerability, illuminating the inherent risks embedded within even the most trusted digital tools.

WP Booking Calendar: A Closer Look

WP Booking Calendar has been a go-to solution for seamless scheduling functionality on WordPress sites, boasting over 3 million downloads and 60,000 active installations. Crafted by the developer wpdevelop, this plugin has facilitated countless bookings, making it an indispensable asset for businesses and individuals alike. Despite its widespread acclaim, the discovery of a severe security flaw in versions up to and including 9.9 has cast a shadow over its reliability.

Understanding the Vulnerability: CVE-2024-1207

CVE-2024-1207 exposes a glaring loophole in the plugin's defenses, allowing unauthenticated attackers to execute SQL Injection attacks through a compromised 'calendar_request_params[dates_ddmmyy_csv]' parameter. This breach, resulting from inadequate input sanitization and SQL query preparation, opens the door to potential unauthorized database manipulations, including data theft and alteration.

The Potential Fallout

The implications of such a vulnerability cannot be understated. Unauthorized access to sensitive information, alteration of booking data, and potential website compromise are just the tip of the iceberg. For small business owners, the ramifications extend beyond mere data loss, potentially eroding customer trust and inflicting lasting damage to their online reputation.

A Path to Remediation

In response to this critical vulnerability, the developers of WP Booking Calendar have released a patched version, 9.9.1, effectively neutralizing the threat posed by CVE-2024-1207. Users of the plugin are urged to update immediately, ensuring their websites are shielded from this and similar threats.

Navigating Past Vulnerabilities

This is not the plugin's first encounter with security vulnerabilities, with 11 previous issues reported since August 1, 2014. Each incident serves as a learning curve, emphasizing the dynamic nature of digital threats and the importance of continuous vigilance.

Staying Ahead of Security Threats

For small business owners juggling myriad responsibilities, the task of staying abreast of every security update can seem daunting. Yet, the digital integrity of your business hinges on the proactive management of these vulnerabilities. Employing managed WordPress hosting services, utilizing security plugins, and regular site audits can significantly mitigate the risks, allowing you to focus on your core business operations.

In conclusion, the discovery of CVE-2024-1207 within the WP Booking Calendar plugin underscores the critical importance of maintaining up-to-date software on your WordPress site. In an era where digital threats are ever-evolving, the security of your online presence is not a set-it-and-forget-it affair but a continuous commitment. By adopting a proactive approach to website security, small business owners can not only protect their digital assets but also preserve the trust and loyalty of their clientele, ensuring their online presence remains both vibrant and secure.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WP Booking Calendar Vulnerability- Unauthenticated SQL Injection – CVE-2024-1207 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment