CVE-2024-1207 is a critical SQL Injection vulnerability identified in the WP Booking Calendar plugin for WordPress, affecting all versions up to and including 9.9. The root cause is insufficient escaping and lack of proper preparation of the SQL query involving the user-supplied parameter 'calendar_request_params[dates_ddmmyy_csv]'. This parameter is used in constructing SQL queries without adequate sanitization, allowing attackers to append arbitrary SQL commands. Because the vulnerability is exploitable without authentication or user interaction, an attacker can remotely execute malicious SQL statements against the backend database. This can lead to unauthorized data disclosure, data manipulation, or even complete database compromise. The vulnerability has a CVSS 3.1 base score of 9.8, reflecting its critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The plugin is widely used in WordPress environments for booking management, making this vulnerability a significant threat to websites relying on it. No official patches or exploit code are currently published, but the risk remains high due to the nature of SQL Injection flaws and the popularity of WordPress plugins as attack vectors.

The impact of CVE-2024-1207 is severe for organizations using the WP Booking Calendar plugin. Successful exploitation can lead to full compromise of the underlying database, exposing sensitive customer and booking information, including personally identifiable information (PII), payment details, and internal business data. Attackers may also modify or delete data, disrupting business operations and causing data integrity issues. The vulnerability can facilitate further attacks such as privilege escalation, lateral movement within the network, or deployment of ransomware. Given WordPress's extensive use globally, this vulnerability can affect a wide range of sectors including hospitality, event management, and service industries that rely on booking systems. The lack of authentication requirement and ease of exploitation increase the likelihood of automated attacks and mass exploitation campaigns, potentially resulting in significant reputational damage, regulatory penalties, and financial losses.

To mitigate CVE-2024-1207, organizations should immediately update the WP Booking Calendar plugin to a patched version once released by the vendor. Until a patch is available, implement Web Application Firewall (WAF) rules to detect and block malicious SQL injection payloads targeting the 'calendar_request_params[dates_ddmmyy_csv]' parameter. Employ input validation and sanitization at the application level to reject unexpected or malformed input formats. Restrict database user permissions to the minimum necessary to limit the impact of a potential injection. Monitor web server and application logs for suspicious query patterns or repeated access attempts to the vulnerable parameter. Additionally, conduct regular security assessments and penetration testing focused on SQL injection vectors. For high-risk environments, consider temporarily disabling the plugin or replacing it with alternative booking solutions that follow secure coding practices. Maintain comprehensive backups to enable recovery in case of data compromise.