WordPress is an open source blogging tool and content management system based on PHP and MySQL. It has many features including a plug-in architecture and a template system. CP Reservation Calendar is a booking calendar that allows selecting dates - ex: check-in and check-out dates - for a reservation.
Multiple SQL injection vulnerabilities in the implemented dex_reservations.php source file allows remote attackers to execute arbitrary SQL commands via the id parameter in a dex_reservations_calendar_load2 action or dex_item parameter in a dex_reservations_check_posted_data action in a request to the default URI. An unauthenticated, remote attacker can exploit the vulnerability by transmitting malicious HTTP GET requests to inject and execute arbitrary SQL commands in the targeted application's database.
CP Reservation Calendar plugin for WordPress prior to version 1.1.7
Successful exploitation allows an unauthenticated, remote attacker to manipulate SQL queries by injecting arbitrary SQL code or further exploit latent vulnerabilities in the underlying database.