CVE-2023-4691: 
WordPress vulnerability analysis and mitigation

The WordPress Online Booking and Scheduling Plugin (Bookly) before version 22.4 contains a SQL injection vulnerability identified as CVE-2023-4691. The vulnerability was discovered in September 2023 and affects the plugin's logging functionality. This security issue impacts installations of the Bookly WordPress plugin versions prior to 22.4 (WPScan).

The vulnerability stems from improper sanitization and escaping of a parameter before its use in SQL statements. Specifically, the columns[0][data] parameter with the value created_at in the Bookly > Settings > Logs section is vulnerable to SQL injection payloads. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow authenticated users with high privileges (such as administrators) to perform SQL injection attacks. This could potentially lead to unauthorized access to the database, data manipulation, or exposure of sensitive information stored in the WordPress database (WPScan).

The vulnerability has been patched in version 22.4 of the Bookly plugin. Users are strongly advised to update their installations to this version or later to mitigate the risk (WPScan).