CVE-2023-0220: 
WordPress vulnerability analysis and mitigation

The Pinpoint Booking System WordPress plugin versions before 2.9.9.2.9 contains a SQL injection vulnerability. The vulnerability was discovered and publicly disclosed on January 23, 2023, affecting the booking-system plugin. The issue stems from the plugin's failure to properly validate and escape one of its shortcode attributes before using it in SQL statements (WPScan).

The vulnerability is classified as a SQL Injection (SQLI) vulnerability with a CVSS score of 7.7 (high). It falls under the OWASP Top 10 category A1: Injection and is identified as CWE-89. The vulnerability exists in the shortcode attribute handling where insufficient validation and escaping allow for SQL injection attacks. The issue affects authenticated users, including those with subscriber-level access (WPScan).

When exploited, this vulnerability allows authenticated users, even with minimal privileges such as subscriber access, to perform SQL injection attacks. Attackers can potentially extract sensitive information from the database, including user login details. The vulnerability specifically allows extraction of administrator usernames through carefully crafted SQL queries (WPScan).

The vulnerability has been patched in version 2.9.9.2.9 of the Pinpoint Booking System plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).