CVE-2018-20556

HIGH

Booking Calendar 8.4.3 - SQL Injection via booking_id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-20556. PoCs published by B0UG.

AI-analyzed exploit summary This is a detailed writeup describing an authenticated SQL injection vulnerability in the WordPress Booking Calendar plugin v8.4.3. It includes steps for exploitation via time-based injection and mentions the use of sqlmap for obtaining shells.

Description

SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.

Exploits (1)

exploitdb WRITEUP
by B0UG · textwebappsphp
https://www.exploit-db.com/exploits/46377

This is a detailed writeup describing an authenticated SQL injection vulnerability in the WordPress Booking Calendar plugin v8.4.3. It includes steps for exploitation via time-based injection and mentions the use of sqlmap for obtaining shells.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Booking Calendar plugin v8.4.3
Auth required
Prerequisites: Authenticated access to WordPress admin panel · Booking Calendar plugin installed and activated
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46377/
Various Sources x_refsource_misc
https://vulners.com/exploitdb/EDB-ID:46377

Scores

CVSS v3 8.8
EPSS 0.1924
EPSS Percentile 97.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
booking_calendar_project/booking_calendar 8.4.3
Published Mar 21, 2019
Tracked Since Feb 18, 2026