CVE-2025-31910 Overview
CVE-2025-31910 is a SQL injection vulnerability in the bookingpress-appointment-booking WordPress plugin developed by reputeinfosystems. The flaw affects all BookingPress versions up to and including 1.1.28. Authenticated attackers with high-privilege access can inject crafted SQL statements through unsanitized plugin input, breaking out of the intended query context. Successful exploitation impacts confidentiality across security scopes and can disrupt service availability. The issue is tracked under CWE-89 and documented in the Patchstack SQL Injection Vulnerability advisory.
Critical Impact
Authenticated attackers can extract sensitive WordPress database contents, including user records and session data, by injecting SQL through the BookingPress plugin.
Affected Products
- BookingPress Appointment Booking plugin for WordPress
- All versions from initial release through 1.1.28
- WordPress sites running the free BookingPress distribution
Discovery Timeline
- 2025-04-01 - CVE-2025-31910 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-31910
Vulnerability Analysis
The vulnerability stems from improper neutralization of special elements in SQL statements built by the BookingPress plugin. User-controlled input flows into database queries without parameterization or proper escaping. An authenticated attacker can supply crafted values that terminate the intended query and append attacker-controlled SQL.
The attack requires network access and low complexity. The scope is changed, meaning successful injection affects components beyond the vulnerable plugin itself, including the broader WordPress database. The EPSS score sits at 0.133% with a percentile of 32.5, indicating low observed exploitation activity at time of publication.
Root Cause
The plugin concatenates request parameters directly into SQL statements rather than using the WordPress $wpdb->prepare() API. The absence of input validation and parameter binding allows attacker-supplied metacharacters such as single quotes, semicolons, and UNION clauses to alter query structure.
Attack Vector
An attacker with high-privilege authenticated access submits a request to a vulnerable BookingPress endpoint with a malicious payload in a parameter consumed by an SQL query. The injected SQL executes with the database privileges of the WordPress site account. Attackers can enumerate tables, exfiltrate wp_users credentials, and trigger queries that degrade availability.
The vulnerability manifests in plugin endpoints that pass request data into raw SQL strings. See the Patchstack advisory for vendor-confirmed technical details.
Detection Methods for CVE-2025-31910
Indicators of Compromise
- Web server access logs containing SQL keywords such as UNION SELECT, SLEEP(, INFORMATION_SCHEMA, or encoded variants in requests to BookingPress endpoints under /wp-admin/admin-ajax.php or plugin REST routes
- Unexpected outbound queries against wp_users, wp_usermeta, or BookingPress tables from the WordPress database account
- New or modified administrator accounts in WordPress following requests to BookingPress endpoints
- Database error responses returned in HTTP replies from BookingPress URLs
Detection Strategies
- Deploy WordPress-aware web application firewall rules that flag SQL metacharacters in BookingPress parameter names
- Enable MySQL general query logging on staging environments and review queries originating from plugin handlers for unparameterized input
- Correlate authenticated session activity with BookingPress request bursts to identify abuse from compromised privileged accounts
Monitoring Recommendations
- Alert on HTTP 500 responses from /wp-admin/admin-ajax.php containing bookingpress action names
- Monitor for privilege changes in wp_usermeta immediately following BookingPress requests
- Track failed and successful logins for accounts with manage_options capability that interact with BookingPress endpoints
How to Mitigate CVE-2025-31910
Immediate Actions Required
- Update BookingPress to a version later than 1.1.28 as soon as the vendor releases a fixed build referenced in the Patchstack advisory
- Audit all WordPress administrator and editor accounts and rotate credentials for any account that could reach BookingPress administrative pages
- Review database query logs and WordPress audit trails for evidence of injection attempts against BookingPress endpoints
Patch Information
Reputeinfosystems addresses the SQL injection in BookingPress releases after 1.1.28. Refer to the Patchstack SQL Injection Vulnerability advisory for the fixed version and changelog details. Apply the patch through the WordPress plugin updater or by replacing the plugin directory with the vendor-supplied archive.
Workarounds
- Restrict access to WordPress administrative endpoints with IP allowlists at the reverse proxy or web application firewall
- Disable or remove the BookingPress plugin on sites where appointment booking is not required until the patch is applied
- Enforce least privilege on the WordPress database user, removing rights such as DROP, ALTER, and FILE where not required by core functionality
# Example: disable the BookingPress plugin via WP-CLI until a patched version is installed
wp plugin deactivate bookingpress-appointment-booking
wp plugin status bookingpress-appointment-booking
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
