What is CVE-2022-47428?

SQL injection flaw in WpDevArt Booking Calendar up to version 3.2.7, allowing unauthenticated database access via booking forms.

How do I fix CVE-2022-47428 in WordPress?

Update the plugin to 3.2.8+, deactivate if unavailable, add WAF protection like Wordfence.

Which WordPress sites are affected by CVE-2022-47428?

Any running WpDevArt Booking Calendar or Appointment Booking System before 3.2.8—check your plugins list now.

🕳️ Vulnerabilities & CVEs

CVE-2022-47428: The SQL Injection Lurking in Your WordPress Booking Calendar

Everyone figured WordPress booking plugins were battle-tested by now. Wrong. CVE-2022-47428 slips in an SQL injection that could dump your entire database.

theAIcatchup Apr 08, 2026 4 min read

WordPress booking calendar interface with SQL injection warning overlay

⚡ Key Takeaways

CVE-2022-47428 enables unauthenticated SQL injection in popular WordPress booking plugins up to version 3.2.7. 𝕏
Update immediately or deactivate; layer with WAF for defense. 𝕏
This vuln foreshadows AI-exploited plugin chains in hyper-connected web services. 𝕏

Published by

theAIcatchup

Threat intelligence. Zero noise.

#Booking Plugin #CVE-2022-47428 #Plugin Security #SQL injection #WordPress Vulnerability #WpDevArt Booking

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by NVD Vulnerabilities

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

CVE-2022-46808: The SQL Injection Lurking in ARMember's Membership Plugin

Slimstat's SQL Injection Nightmare: CVE-2022-45373 Cracks Open Analytics Doors

Spiffy Calendar SQL Injection Lets Hackers Hijack WordPress Databases

CVE-2022-46818: SQL Injection Lets Attackers Raid WordPress Subscriber Lists

Stay in the loop