Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Network-reachable AJAX endpoint (AV:N/AC:L), Subscriber role required (PR:L), no UI; SQLi crosses into core WP tables (S:C, C:H); no write primitive shown (I:N) with minor A:L from query load.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber SQL Injection in WP Time Slots Booking Form <= 1.2.50 versions.
AnalysisAI
SQL injection in the WP Time Slots Booking Form WordPress plugin (versions 1.2.50 and earlier) allows authenticated Subscriber-level users to inject arbitrary SQL into backend database queries. The CVSS 3.1 vector indicates a scope change with high confidentiality impact, meaning an attacker who only holds the lowest WordPress role can read data beyond the plugin's own scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
The flaw is a CWE-89 Improper Neutralization of Special Elements used in an SQL Command, affecting the codepeople 'WP Time Slots Booking Form' plugin (CPE cpe:2.3:a:codepeople:wp_time_slots_booking_form). Plugins of this class typically expose AJAX or admin-ajax endpoints to logged-in users for booking lookups and slot availability checks; when user-controlled parameters are concatenated into SQL queries instead of being passed through wpdb->prepare(), Subscriber-authenticated requests can manipulate the WHERE/ORDER BY clauses to extract data from the wp_users or wp_options tables. The Scope:Changed metric (S:C) in the CVSS vector reflects that exploitation reaches WordPress core tables outside the plugin's own data domain.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data - administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-time-slots-booking-form/vulnerability/wordpress-wp-time-slots-booking-form-plugin-1-2-50-sql-injection-vulnerability) for the latest fixed release and upgrade to a version above 1.2.50 as soon as one is published. Until a patched version is confirmed, deactivate the plugin if booking functionality is non-essential, or disable open Subscriber self-registration via Settings > General > Membership to remove the PR:L precondition (trade-off: blocks legitimate new account signups). As a compensating control, deploy a WAF rule (Patchstack, Wordfence, or ModSecurity) targeting SQLi patterns on the plugin's AJAX endpoints, and restrict access to wp-admin/admin-ajax.php for low-privilege roles where feasible (trade-off: may break other plugins that legitimately use Subscriber AJAX calls).
More in Wp Time Slots Booking Form
View allMissing Authorization vulnerability in CodePeople WP Time Slots Booking Form.2.11. Rated critical severity (CVSS 9.8), t
The WP Time Slots Booking Form WordPress plugin before 1.1.63 does not sanitise and escape Calendar names, allowing high
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.2.06. Rated high severity (CVSS 7.5), this
Reflected/stored cross-site scripting in the WP Time Slots Booking Form WordPress plugin (versions up to and including 1
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CodePeople
WP Time Slots Booking Form through version 1.2.42 contains a missing authorization vulnerability that allows unauthentic
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.1.76. Rated medium severity (CVSS 4.3), thi
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36857
GHSA-q38v-6c9h-xhfr