EIP-2026-113603

PRE-CVE

WordPress Plugin Booking Calendar Contact Form 1.1.24 - addslashes SQL Injection

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113603. PoCs published by i0akiN SEC-LABORATORY.

AI-analyzed exploit summary This is a detailed technical writeup describing a SQL injection vulnerability in the WordPress appointment-booking-calendar plugin (version <=1.1.24). The vulnerability arises due to insufficient sanitization of POST parameters, allowing bypass of WordPress's `wp_magic_quotes` function via special character sets.

Description

WordPress Plugin Booking Calendar Contact Form 1.1.24 - addslashes SQL Injection

Exploits (1)

exploitdb WRITEUP
by i0akiN SEC-LABORATORY · textwebappsphp
https://www.exploit-db.com/exploits/39342

This is a detailed technical writeup describing a SQL injection vulnerability in the WordPress appointment-booking-calendar plugin (version <=1.1.24). The vulnerability arises due to insufficient sanitization of POST parameters, allowing bypass of WordPress's `wp_magic_quotes` function via special character sets.

Classification
Writeup 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress appointment-booking-calendar plugin <=1.1.24
Auth required
Prerequisites: Vulnerable WordPress site with the plugin installed · User with 'edit_pages' permission or ownership of a calendar · Special character set to bypass `addslashes`
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026