CVE-2021-24726: 
WordPress vulnerability analysis and mitigation

The WP Simple Booking Calendar WordPress plugin before version 2.0.6 contained a significant security vulnerability identified as CVE-2021-24726. The vulnerability was discovered by Martin Vierula of Trustwave and was publicly disclosed on August 6, 2021. This security issue affected the plugin's Search Calendars functionality, specifically impacting installations prior to the patched version 2.0.6 (WPScan).

The vulnerability is classified as an authenticated SQL injection (SQLi) issue. The security flaw existed because the plugin failed to properly escape, validate, or sanitize the 'orderby' parameter in its Search Calendars action before using it in SQL statements. The vulnerability has been assigned a CVSS score of 6.8, indicating medium severity. The issue was fixed in version 2.0.6, though notably, the fix was implemented without a version bump, resulting in two different 2.0.6 versions - one vulnerable and one patched (WPScan).

The vulnerability could allow authenticated attackers to perform SQL injection attacks against affected WordPress installations. This could potentially lead to unauthorized access to the database, data manipulation, or exposure of sensitive information stored in the WordPress database (WPScan).

Users should update to the patched version 2.0.6 of the WP Simple Booking Calendar plugin released after July 12, 2021. Due to the unusual circumstance of having two different 2.0.6 versions, users should ensure they have the patched version installed (WPScan).