Description
Multiple SQL injection vulnerabilities in dex_reservations.php in the CP Reservation Calendar plugin before 1.1.7 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in a dex_reservations_calendar_load2 action or (2) dex_item parameter in a dex_reservations_check_posted_data action in a request to the default URI.
Exploits (1)
exploitdb
WRITEUP
by i0akiN SEC-LABORATORY · textwebappsphp
https://www.exploit-db.com/exploits/38187
References (4)
Core 4
Core References
Patch x_refsource_confirm
https://wordpress.org/plugins/cp-reservation-calendar/changelog/
Exploit exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/38187/
Product x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/1104099/cp-reservation-calendar
Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/8193
Scores
EPSS
0.0260
EPSS Percentile
85.7%
Details
CWE
CWE-89
Status
published
Products (1)
cp_reservation_calender_project/cp_reservation_calender
< 1.1.6
Published
Sep 17, 2015
Tracked Since
Feb 18, 2026