PatchSiren cyber security CVE debrief
CVE-2026-15289 wpdevart CVE debrief
The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpdevart_id’ parameter in all versions up to, and including, 3.2.17. This vulnerability exists due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. An unauthenticated attacker can exploit this vulnerability by appending additional SQL queries into already existing queries to extract sensitive information from the database. However, exploitation requires the Pro version of the plugin to be installed and activated, with the 'Delete previous dates' option checked. The vulnerability has a CVSS score of 5.9 and is considered Medium severity. Users should review their installations and consider updating to the latest version or applying mitigations.
- Vendor
- wpdevart
- Product
- Booking calendar, Appointment Booking System
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of the Booking calendar, Appointment Booking System plugin for WordPress, especially those with the Pro version installed and activated, should be aware of this vulnerability and take necessary actions to protect their sites.
Technical summary
The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpdevart_id’ parameter in all versions up to, and including, 3.2.17. This vulnerability exists due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. An unauthenticated attacker can exploit this vulnerability by appending additional SQL queries into already existing queries to extract sensitive information from the database. However, exploitation requires the Pro version of the plugin to be installed and activated, with the 'Delete previous dates' option checked.
Defensive priority
Medium priority given the CVSS score of 5.9 and the requirement for the Pro version of the plugin to be installed and activated.
Recommended defensive actions
- Update the Booking calendar, Appointment Booking System plugin to the latest version if available.
- Check if the Pro version of the plugin is installed and activated, and if the 'Delete previous dates' option is enabled.
- Implement additional monitoring and logging to detect potential SQL injection attempts.
- Consider using a web application firewall (WAF) to help protect against SQL injection attacks.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-10T05:16:32.133Z and was last modified on 2026-07-10T15:43:30.330Z. The NVD entry is currently Deferred. The information provided is based on the CVE record and NVD entry for CVE-2026-15289. The vulnerability affects the Booking calendar, Appointment Booking System plugin for WordPress, specifically versions up to and including 3.2.17. The Pro version of the plugin must be installed and activated, with the 'Delete previous dates' option checked, for exploitation to be possible.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:32.133Z and has not been modified since then. The NVD entry is currently Deferred.