PatchSiren cyber security CVE debrief
CVE-2026-15335 masaakitanaka CVE debrief
The Booking Package plugin for WordPress is vulnerable to SQL Injection via the 'email' form parameter in versions up to and including 1.7.20. This vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially extracting sensitive information from the database. The vulnerability exists in the /wp-json/booking-package/v1/request REST API endpoint, which is registered with permission_callback: __return_true, allowing unauthenticated attackers to inject SQL queries without authentication. The impact of this vulnerability is significant as it could lead to unauthorized access to sensitive data stored in the database. Users of the Booking Package plugin for WordPress, particularly those with versions up to and including 1.7.20, should be aware of this vulnerability and take steps to mitigate it by updating the plugin to a version that fixes the SQL Injection vulnerability, implementing web application firewalls (WAFs) to detect and prevent SQL Injection attacks, regularly monitoring and auditing database activity for suspicious queries, limiting database privileges to the minimum required for the application, and using prepared statements with parameterized queries to prevent SQL Injection.
- Vendor
- masaakitanaka
- Product
- Booking Package
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-11
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-07-11
- Advisory updated
- 2026-07-11
Who should care
Users of the Booking Package plugin for WordPress, particularly those with versions up to and including 1.7.20, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists in the /wp-json/booking-package/v1/request REST API endpoint, which is registered with permission_callback: __return_true. This allows unauthenticated attackers to inject SQL queries without authentication. The vulnerable parameter 'email' is not properly escaped, and wp_magic_quotes does not apply to REST-sourced $_POST values, allowing single quotes in the payload to reach the SQL sink intact.
Defensive priority
High priority due to the high CVSS score of 7.5 and the potential for sensitive information extraction.
Recommended defensive actions
- Update the Booking Package plugin to a version that fixes the SQL Injection vulnerability.
- Implement web application firewalls (WAFs) to detect and prevent SQL Injection attacks.
- Regularly monitor and audit database activity for suspicious queries.
- Limit database privileges to the minimum required for the application.
- Use prepared statements with parameterized queries to prevent SQL Injection.
Evidence notes
The CVE record was published on 2026-07-11T05:16:32.923Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Multiple source references are provided, including links to the vulnerable code in the Booking Package plugin.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T05:16:32.923Z and has not been modified since then. The NVD entry is currently in the 'Received' status.