CVE-2024-10540: 
WordPress vulnerability analysis and mitigation

The BookingPress WordPress plugin (Appointment Booking Calendar Plugin and Scheduling Plugin) contains a SQL Injection vulnerability (CVE-2024-10540) discovered in versions up to and including 1.1.16. The vulnerability exists in the 'service' parameter of the bookingpress_form shortcode due to insufficient escaping of user-supplied parameters and inadequate SQL query preparation (NVD).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 6.5 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue stems from improper handling of the 'service' parameter in the bookingpress_form shortcode, allowing authenticated users with Subscriber-level access or higher to append additional SQL queries to existing database queries (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with Subscriber-level access or higher to extract sensitive information from the database by injecting additional SQL queries into existing database operations (NVD).

Website administrators should update the BookingPress plugin to a version newer than 1.1.16 which contains the security fix. A patch has been released and is available through the WordPress plugin repository (WordPress).