CVE-2022-0739: 
WordPress vulnerability analysis and mitigation

The BookingPress WordPress plugin before version 1.0.11 contains an unauthenticated SQL injection vulnerability (CVE-2022-0739). The vulnerability was discovered in February 2022 and affects the bookingpressfrontgetcategoryservices AJAX action, which fails to properly sanitize user-supplied POST data before using it in dynamically constructed SQL queries (WPScan, NVD).

The vulnerability exists in the bookingpressfrontgetcategoryservices AJAX action, which is accessible to unauthenticated users. The function fails to properly sanitize the total_service parameter before incorporating it into SQL queries, allowing attackers to inject malicious SQL commands. The vulnerability has been assigned a CVSS score of 8.6 (High), indicating its severe nature (AttackerKB, WPScan).

This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the WordPress database. Specifically, attackers can exploit this flaw to dump all username and password hashes stored in the database, potentially compromising the entire WordPress installation (Rapid7 Blog).

The vulnerability has been patched in BookingPress version 1.0.11. Site administrators running vulnerable versions should immediately upgrade to version 1.0.11 or later to protect their installations (WPScan).