CVE-2024-13235: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in dotonpaper Pinpoint Booking System – #1 WordPress Booking Plugin
CVE-2024-13235 is a medium severity SQL Injection vulnerability in the Pinpoint Booking System WordPress plugin, affecting all versions up to 2. 9. 9. 5. 2. The flaw exists in the 'language' parameter, which is insufficiently sanitized, allowing authenticated users with Subscriber-level or higher access to inject arbitrary SQL commands. Exploitation does not require user interaction but does require authentication with low privileges. The vulnerability can lead to unauthorized disclosure of sensitive database information but does not impact data integrity or availability. No known exploits are currently reported in the wild. Organizations using this popular booking plugin should prioritize patching or applying mitigations to prevent data leakage.
AI Analysis
Technical Summary
CVE-2024-13235 is an SQL Injection vulnerability identified in the Pinpoint Booking System, a widely used WordPress booking plugin developed by dotonpaper. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) specifically via the 'language' parameter. This parameter is used in SQL queries without sufficient escaping or prepared statements, allowing attackers with authenticated access at the Subscriber level or higher to append malicious SQL code. This can lead to unauthorized extraction of sensitive information from the backend database. The vulnerability affects all plugin versions up to and including 2.9.9.5.2. The CVSS v3.1 score is 6.5 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts confidentiality but not integrity or availability. Although no public exploits are known, the ease of exploitation by authenticated users makes this a significant risk. The vulnerability highlights the importance of proper input validation and use of parameterized queries in WordPress plugins to prevent injection attacks.
Potential Impact
The primary impact of this vulnerability is unauthorized disclosure of sensitive data stored in the WordPress site's database, which may include user information, booking details, and potentially other confidential data. Since the attacker needs only Subscriber-level access, which is commonly granted to registered users, the attack surface is broad. This can lead to privacy violations, compliance issues, and reputational damage for organizations using the affected plugin. While the vulnerability does not allow modification or deletion of data (integrity) or cause denial of service (availability), the confidentiality breach alone can have serious consequences, especially for businesses handling personal or payment information. The risk is amplified for organizations relying heavily on this plugin for booking and customer management, including e-commerce, hospitality, and service industries worldwide.
Mitigation Recommendations
Organizations should immediately update the Pinpoint Booking System plugin to a patched version once available. In the absence of an official patch, administrators should restrict Subscriber-level user capabilities to minimize risk, such as disabling the ability to modify the 'language' parameter or limiting access to the booking system backend. Employing Web Application Firewalls (WAFs) with SQL Injection detection rules can help block malicious payloads targeting this parameter. Additionally, site owners should audit user roles and permissions to ensure minimal privileges are assigned. Regular database backups and monitoring for unusual query patterns can aid in early detection of exploitation attempts. Developers maintaining the plugin should implement parameterized queries and proper input sanitization to prevent similar vulnerabilities in the future.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, France, India, Brazil, Japan, Netherlands, Italy, Spain
CVE-2024-13235: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in dotonpaper Pinpoint Booking System – #1 WordPress Booking Plugin
Description
CVE-2024-13235 is a medium severity SQL Injection vulnerability in the Pinpoint Booking System WordPress plugin, affecting all versions up to 2. 9. 9. 5. 2. The flaw exists in the 'language' parameter, which is insufficiently sanitized, allowing authenticated users with Subscriber-level or higher access to inject arbitrary SQL commands. Exploitation does not require user interaction but does require authentication with low privileges. The vulnerability can lead to unauthorized disclosure of sensitive database information but does not impact data integrity or availability. No known exploits are currently reported in the wild. Organizations using this popular booking plugin should prioritize patching or applying mitigations to prevent data leakage.
AI-Powered Analysis
Technical Analysis
CVE-2024-13235 is an SQL Injection vulnerability identified in the Pinpoint Booking System, a widely used WordPress booking plugin developed by dotonpaper. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) specifically via the 'language' parameter. This parameter is used in SQL queries without sufficient escaping or prepared statements, allowing attackers with authenticated access at the Subscriber level or higher to append malicious SQL code. This can lead to unauthorized extraction of sensitive information from the backend database. The vulnerability affects all plugin versions up to and including 2.9.9.5.2. The CVSS v3.1 score is 6.5 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts confidentiality but not integrity or availability. Although no public exploits are known, the ease of exploitation by authenticated users makes this a significant risk. The vulnerability highlights the importance of proper input validation and use of parameterized queries in WordPress plugins to prevent injection attacks.
Potential Impact
The primary impact of this vulnerability is unauthorized disclosure of sensitive data stored in the WordPress site's database, which may include user information, booking details, and potentially other confidential data. Since the attacker needs only Subscriber-level access, which is commonly granted to registered users, the attack surface is broad. This can lead to privacy violations, compliance issues, and reputational damage for organizations using the affected plugin. While the vulnerability does not allow modification or deletion of data (integrity) or cause denial of service (availability), the confidentiality breach alone can have serious consequences, especially for businesses handling personal or payment information. The risk is amplified for organizations relying heavily on this plugin for booking and customer management, including e-commerce, hospitality, and service industries worldwide.
Mitigation Recommendations
Organizations should immediately update the Pinpoint Booking System plugin to a patched version once available. In the absence of an official patch, administrators should restrict Subscriber-level user capabilities to minimize risk, such as disabling the ability to modify the 'language' parameter or limiting access to the booking system backend. Employing Web Application Firewalls (WAFs) with SQL Injection detection rules can help block malicious payloads targeting this parameter. Additionally, site owners should audit user roles and permissions to ensure minimal privileges are assigned. Regular database backups and monitoring for unusual query patterns can aid in early detection of exploitation attempts. Developers maintaining the plugin should implement parameterized queries and proper input sanitization to prevent similar vulnerabilities in the future.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-09T16:21:33.869Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e4eb7ef31ef0b59ca75
Added to database: 2/25/2026, 9:49:02 PM
Last enriched: 2/26/2026, 2:14:13 AM
Last updated: 2/26/2026, 9:51:46 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
HighCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
HighCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
HighCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
HighCVE-2026-28083: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in UX-themes Flatsome
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.