CVE-2022-1006

HIGH EXPLOITED

Advanced Booking Calendar < 1.7.1 - Authenticated SQL Injection via Calendar ID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-1006 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks

References (2)

Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/c5569317-b8c8-4524-8375-3e2369bdcc68
Patch, Third Party Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2695427

Scores

CVSS v3 7.2
EPSS 0.0146
EPSS Percentile 70.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-07-20
CWE
CWE-89
Status published
Products (1)
elbtide/advanced_booking_calendar < 1.7.1
Published Apr 11, 2022
Tracked Since Feb 18, 2026