CVE-2025-22785

Critical

Published: 15 January 2025

Published

15 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.1148 93.6th percentile

Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ComMotion Course Booking System course-booking-system allows SQL Injection.This issue affects Course Booking System: from n/a through <= 6.0.6.

Security Summary

CVE-2025-22785 is an SQL Injection vulnerability (CWE-89) due to improper neutralization of special elements in an SQL command within the ComMotion Course Booking System WordPress plugin (course-booking-system). This issue affects all versions from an unspecified initial release through 6.0.6. Published on 2025-01-15, it carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L), indicating critical severity with network accessibility, low attack complexity, no privileges or user interaction required, and scope change.

Unauthenticated remote attackers can exploit this vulnerability over the network. Successful exploitation enables high confidentiality impact, such as unauthorized access to sensitive data in the database, alongside low availability disruption and no integrity impact.

The Patchstack advisory provides further details on this vulnerability in the WordPress Course Booking System plugin: https://patchstack.com/database/Wordpress/Plugin/course-booking-system/vulnerability/wordpress-course-booking-system-plugin-6-0-5-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s): CWE-89

References

https://patchstack.com/database/Wordpress/Plugin/course-booking-system/vulnerability/wordpress-course-booking-system-plugin-6-0-5-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com