CVE-2014-3210

Booking System < 1.3 - Authenticated SQL Injection via booking_form_id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-3210. PoCs published by maodun.

AI-analyzed exploit summary The provided text describes an SQL injection vulnerability in the Search Everything plugin for WordPress, specifically affecting versions prior to Booking System (Booking Calendar) 1.3. The vulnerability arises from insufficient input sanitization, allowing attackers to manipulate SQL queries via the 'booking_form_id' parameter.

Description

SQL injection vulnerability in dopbs-backend-forms.php in the Booking System (Booking Calendar) plugin before 1.3 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the booking_form_id parameter to wp-admin/admin-ajax.php.

Exploits (1)

exploitdb WRITEUP VERIFIED
by maodun · textwebappsphp
https://www.exploit-db.com/exploits/39197

The provided text describes an SQL injection vulnerability in the Search Everything plugin for WordPress, specifically affecting versions prior to Booking System (Booking Calendar) 1.3. The vulnerability arises from insufficient input sanitization, allowing attackers to manipulate SQL queries via the 'booking_form_id' parameter.

Classification
Writeup 80%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: WordPress Booking System (Booking Calendar) < 1.3
No auth needed
Prerequisites: Access to the vulnerable WordPress admin-ajax.php endpoint
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/532168/100/0/threaded

Scores

EPSS 0.0359
EPSS Percentile 88.0%

Details

CWE
CWE-89
Status published
Products (3)
dotonpaper/booking_system 1.0
dotonpaper/booking_system 1.1
dotonpaper/booking_system < 1.2
Published May 22, 2014
Tracked Since Feb 18, 2026