CVE-2023-4691 - Deep Dive into a High Privilege SQL Injection in WordPress Online Booking & Scheduling Plugin

WordPress powers a huge part of the internet, making plugin vulnerabilities serious business. Recently, a critical flaw — CVE-2023-4691 — was discovered in the widely-used Online Booking and Scheduling Plugin before version 22.4. This bug exposes WordPress sites to SQL Injection, but only by high-privileged users like admins. Let’s break down what went wrong, see some example code, explore a simple exploit, and learn how to protect your site.

What is CVE-2023-4691?

CVE-2023-4691 is a security vulnerability affecting the Online Booking and Scheduling Plugin (also known as Bookly), before version 22.4. This plugin is popular for managing appointments and schedules on WordPress-based businesses.

The issue comes down to improper sanitization and escaping of a parameter before it's used in an SQL statement. This flaw allows attackers, who already have high-level access (like Administrator), to execute arbitrary SQL queries on the site’s database.

- CVE Record: CVE-2023-4691
- Original Advisory: WPScan Vulnerability Database
- Plugin Changelog: Plugin changelog on WordPress.org

The Technical Issue: How Did This Happen?

WordPress plugins often need to take user input (from forms or URLs) and query the database. If this user input is not sanitized (cleaned up) and escaped (safely prepared), attackers can send malicious input that changes the way the database query works.

Here's a simplified vulnerable code snippet to show how this kind of bug works

// Example of bad practice:
$user_input = $_POST['appointment_id'];             // No sanitization!
$query = "SELECT * FROM {$wpdb->prefix}bookly_appointments WHERE id = $user_input";
$result = $wpdb->get_results($query);

If $user_input comes straight from a user and isn’t sanitized or escaped, an attacker can submit something like:

1; DROP TABLE wp_users; --

The resulting query would be

SELECT * FROM wp_bookly_appointments WHERE id = 1; DROP TABLE wp_users; -- 

If the plugin runs this, it could destroy your user table or worse.

In the case of CVE-2023-4691, the flaw allowed SQL injection during certain admin or high-privilege dashboard actions, meaning a compromised or malicious admin could further escalate attacks.

Exploit Details

Who can attack?
Only users with high privileges (like Admins) can exploit this bug directly. This limits the bug’s impact to situations where those accounts are compromised – but in practice, an XSS or stolen admin account could chain this vulnerability for a full site takeover.

Example Exploit Scenario

Let’s say there’s a hidden AJAX endpoint for booking management that receives an ID from an admin:

// Vulnerable endpoint for deleting appointments
if ($_POST['action'] == 'delete_appointment') {
    $id = $_POST['id'];  // Not sanitized
    $wpdb->query("DELETE FROM {$wpdb->prefix}bookly_appointments WHERE id = $id");
}

An attacker with admin access POSTs to this endpoint

id= OR 1=1

This SQL turns into

DELETE FROM wp_bookly_appointments WHERE id =  OR 1=1

Result? Deletes all appointments!

Going further, an attacker could exfiltrate data from any table, or even create a new admin account for persistent access.

If you want to check if your site is vulnerable, try submitting a parameter like this (as admin)

id=1' UNION SELECT 1, user_login, user_pass FROM wp_users --

If the results include actual usernames or password hashes, your site is at risk.

Update Immediately

If you use this plugin, make sure it's version 22.4 or higher. The developer fixed this issue by properly sanitizing and escaping the affected variables using WordPress’s $wpdb->prepare() and other safe methods.

Review Admin Access

Limit how many users have administrator roles, and always use strong passwords with multi-factor authentication.

Keep All Plugins Updated

Vulnerabilities like this one are common. Check for updates on a weekly basis and remove plugins you don’t use.

How to Mitigate in Your Code (for Developers)

Always sanitize and escape every user input, even when you *think* only trusted users can supply it. In WordPress, you should use:

$id = isset($_POST['id']) ? intval($_POST['id']) : ;
$query = $wpdb->prepare(
    "DELETE FROM {$wpdb->prefix}bookly_appointments WHERE id = %d",
    $id
);
$wpdb->query($query);

References

- CVE-2023-4691 NVD Entry
- WPScan Vulnerability Report
- WordPress Plugin Online Booking & Scheduling
- SQL Injection Prevention (OWASP)

Final Thoughts

CVE-2023-4691 reminds us that *even trusted users can turn on you* — whether through malware, phishing, or mistakes. Always code with suspicion. If you run WordPress, make prompt updates a habit, restrict admin access, and audit your plugins for signs of insecure input handling.

For plugin developers, let this be a wake-up call: Never trust user input, always use prepared statements, no exceptions!

Stay safe, patch promptly, and keep your plugins lean and secure.

Timeline

Published on: 10/16/2023 20:15:16 UTC
Last modified on: 11/07/2023 04:22:50 UTC