CVE-2022-1006
HIGH EXPLOITEDAdvanced Booking Calendar < 1.7.1 - Authenticated SQL Injection via Calendar ID Parameter
Title source: llmExploitation Summary
CVE-2022-1006 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/c5569317-b8c8-4524-8375-3e2369bdcc68
Patch, Third Party Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2695427
Scores
CVSS v3
7.2
EPSS
0.0146
EPSS Percentile
70.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2025-07-20
CWE
CWE-89
Status
published
Products (1)
elbtide/advanced_booking_calendar
< 1.7.1
Published
Apr 11, 2022
Tracked Since
Feb 18, 2026