CVE-2022-1006

Advanced Booking Calendar < 1.7.1 - Admin+ SQLi

Basic Information

CVE State: PUBLISHED
Reserved Date: March 17, 2022
Published Date: April 11, 2022
Last Updated: August 02, 2024
Vendor: Unknown
Product: Advanced Booking Calendar
Description: The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks

CVSS Scores

CVSS v3.1

7.2 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

6.5

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploit Status

Exploited in the Wild: Yes (2025-11-12 00:00:00 UTC) Source

References

https://wpscan.com/vulnerability/c5569317-b8c8-4524-8375-3e2369bdcc68 https://plugins.trac.wordpress.org/changeset/2695427

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-11-12 00:00:00 UTC

Timeline

CVE ID Reserved

March 17, 2022
CVE Published to Public

April 11, 2022
Added to KEVIntel

November 12, 2025