S4E

CVE-2024-6924 Scanner

CVE-2024-6924 scanner - SQL Injection vulnerability in TrueBooker Appointment Booking Plugin

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

4 weeks

Scan only one

Domain, IPv4

Toolbox

-

The TrueBooker Appointment Booking and Scheduler Plugin is used for managing appointments and bookings on WordPress websites. It is commonly utilized by businesses that offer services requiring scheduling, such as salons, clinics, or consulting services. The plugin simplifies the booking process for clients while helping businesses manage appointments effectively. It integrates seamlessly with WordPress, making it a popular choice for small to medium-sized businesses. However, the plugin has a known SQL Injection vulnerability in versions up to 1.0.2.

The SQL Injection vulnerability in the TrueBooker Plugin allows unauthorized users to execute malicious SQL queries by injecting them into legitimate queries. This occurs due to insufficient escaping of user input and a lack of preparation in SQL queries. If exploited, attackers can extract sensitive information from the database. This vulnerability is highly critical as it affects the security of websites using the TrueBooker plugin.

The vulnerability resides in the TrueBooker Appointment Booking Plugin for WordPress, specifically in the parameter handling in the truebooker-service-price.php script. The vulnerable endpoint allows unauthenticated users to pass unsanitized inputs, which are directly used in SQL queries. Due to improper handling of these inputs, malicious SQL commands can be injected into the query execution, resulting in unauthorized data extraction. The parameter tba_service_id is vulnerable to SQL Injection, which allows attackers to manipulate the query by appending commands like SLEEP() to test or extract data from the database.

If exploited, this SQL Injection vulnerability can lead to the compromise of the entire database. Attackers can retrieve sensitive information such as customer details, financial records, or any other stored data. This can lead to data breaches, identity theft, and reputational damage for businesses using the plugin. Additionally, attackers could alter or delete data, disrupting normal operations and causing significant harm to the affected business.

By using the S4E platform, you can ensure continuous monitoring of your WordPress plugins and other online assets. Our platform provides automated, real-time detection of vulnerabilities, offering detailed reports and guidance on mitigating risks. With our service, you can proactively protect your digital presence, minimizing the risk of security breaches and ensuring compliance with industry standards. Join our platform today to enhance your security posture and stay ahead of potential threats.

References:

Get started to protecting your Free Full Security Scan