MotoPress Appointment Booking Plugin Vulnerability (CVE-2026-13454)

On this page

Security Alert Summary

The MotoPress Appointment Booking plugin for WordPress (all versions up to and including 2.4.5) contains a SQL injection vulnerability in the s parameter. Authenticated users assigned the mpa_appointment_employee custom role can inject SQL into existing queries to extract sensitive information from the database.


CVE Details

  • CVE ID: CVE-2026-13454
  • Affected component: MotoPress Appointment Booking plugin for WordPress
  • Affected versions: All versions up to and including 2.4.5 (versions <= 2.4.5)
  • Published: July 1, 2026 at 10:16:27 AM UTC
  • Last modified: July 1, 2026 at 1:56:17 PM UTC
  • CVSS v3.1: Base score 6.5 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • Authentication / privileges / user interaction:
    • Requires an authenticated user; exploitation requires assignment of the mpa_appointment_employee custom role.
    • Privileges required: LOW (an authenticated low-privileged role can exploit).
    • User interaction: NONE.
  • Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE
  • Weakness: CWE-89 (SQL Injection)

Technical Details

The plugin fails to properly escape and prepare user-supplied input for the s parameter used in booking management code. Insufficient escaping and lack of prepared statements allow an authenticated user with the mpa_appointment_employee role to append additional SQL queries to existing queries. The issue is present in the plugin code that handles bookings (see ManageBookingsPage.php in the plugin references), where the s parameter is incorporated into SQL without adequate sanitization or parameterization.

Successful exploitation enables extraction of sensitive information from the database via crafted input. The vulnerability does not indicate modification of data or denial of service in the provided details; the primary effect described is disclosure of confidential information.


How This Could Impact Your Website

Consider a small business site using MotoPress Appointment Booking where the site owner assigns an internal staff member or an external contractor the mpa_appointment_employee role to manage appointments. If that user is compromised or acts maliciously, they could exploit the SQL injection to retrieve sensitive data from the database such as customer records or internal user information.

Practical consequences include exposure of internal user email addresses and other stored data, which increases the risk of targeted phishing or social engineering against staff and customers. Attackers with access to exposed email lists may attempt credential phishing or impersonation of staff members.

If you are unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles; remove or restrict the mpa_appointment_employee role where it is not required.
  • Enforce strong passwords and enable two-factor authentication for editor and administrator accounts and other privileged roles.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and database access for unusual behavior or unexpected queries.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References