QwikSec

Security Database

CVE

CWE

Training

CVE-2021-24555

Published: Aug 23, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user.

Vendor	Product	Versions
Unknown	Diary & Availability Calendar	affected `1.0.3 - <= 1.0.3`

Weaknesses (CWE)

References

https://wpscan.com/vulnerability/8eafd84b-6214-450b-869b-0afe7cca4c5f

x_refsource_MISC

https://codevigilant.com/disclosure/2021/wp-plugin-diary-availability-calendar/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.