CVE-2026-13454
Last modified
CVE-2026-13454 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. EPSS estimates a 0.36% chance of exploitation in the next 30 days.
Description
The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the mpa_appointment_employee custom role, meaning any user assigned this role can perform the attack.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| jetmonsters | MotoPress Appointment Booking | <= 2.4.5 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-13454?
How severe is CVE-2026-13454?
How do I fix CVE-2026-13454?
Related CVEs from 2026
- CVE-2026-1344Tanium addressed an insecure file permissions vulnerability …5.5
- CVE-2026-13441The EventPrime – Events Calendar, Bookings and Tickets plugi…7.2
- CVE-2026-13443The Tutor LMS – eLearning and online course solution plugin …6.4
- CVE-2026-13449IBM Business Automation Manager Open Editions 9.0.0 through …9.1
- CVE-2026-1345IBM Verify Identity Access Container 11.0 through 11.0.2 and…7.3
- CVE-2026-13450The GamiPress – Gamification plugin to reward points, achiev…5.3
- CVE-2026-13455PostgreSQL Anonymizer contains a vulnerability that allows u…4.3
- CVE-2026-13459The JetFormBuilder — Dynamic Blocks Form Builder plugin for …5.3
- CVE-2026-1346IBM Verify Identity Access Container 11.0 through 11.0.2 and…7.8
- CVE-2026-13461When coupled with the SSL bypass vulnerability, JavaScript c…9.6
- CVE-2026-13462PayRange Android app, version 7.0.7 and below, contains an S…7.5
- CVE-2026-13468The Visualizer – Tables & Charts Manager with Built-in AI Ge…7.5
Are you affected by CVE-2026-13454?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
