A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24. The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called. Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´ function). The vulnerable code is: $myrows = $wpdb->get_results( "SELECT * FROM ".CPABC_APPOINTMENTS_CONFIG_TABLE_NAME." WHERE conwer=$conwer ORDER BY `".CPABC_TDEAPP_CONFIG_ID."` DESC" ); The variable ´$conwer´ is not sanitized and is used in the query.