CVE-2022-1006: 
WordPress vulnerability analysis and mitigation

The Advanced Booking Calendar WordPress plugin before version 1.7.1 contains a SQL injection vulnerability identified as CVE-2022-1006. The vulnerability exists due to insufficient sanitization and escaping of the 'id' parameter when editing Calendars, which could allow high-privilege users such as administrators to perform SQL injection attacks (WPScan, CVE Mitre).

The vulnerability is classified as a SQL injection (SQLI) with a CVSS score of 6.8 (medium). It affects the calendar editing functionality in the plugin's admin interface. The issue specifically occurs in the Seasons & Calendars editing section (/wp-admin/admin.php?page=advanced-booking-calendar-show-seasons-calendars) where the 'id' parameter is not properly sanitized. The vulnerability is categorized under CWE-89 and falls under the OWASP Top 10 category A1: Injection (WPScan).

The vulnerability allows authenticated users with administrative privileges to perform SQL injection attacks against the WordPress database. This could potentially lead to unauthorized access to database contents, manipulation of data, or other database-related attacks (WPScan).

The vulnerability has been fixed in version 1.7.1 of the Advanced Booking Calendar plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).