Skip to main content

WP Time Slots Booking Form EUVDEUVD-2026-36857

| CVE-2026-48882 HIGH
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-q38v-6c9h-xhfr
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.5 HIGH

Network-reachable AJAX endpoint (AV:N/AC:L), Subscriber role required (PR:L), no UI; SQLi crosses into core WP tables (S:C, C:H); no write primitive shown (I:N) with minor A:L from query load.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:45 vuln.today

DescriptionCVE.org

Subscriber SQL Injection in WP Time Slots Booking Form <= 1.2.50 versions.

AnalysisAI

SQL injection in the WP Time Slots Booking Form WordPress plugin (versions 1.2.50 and earlier) allows authenticated Subscriber-level users to inject arbitrary SQL into backend database queries. The CVSS 3.1 vector indicates a scope change with high confidentiality impact, meaning an attacker who only holds the lowest WordPress role can read data beyond the plugin's own scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

The flaw is a CWE-89 Improper Neutralization of Special Elements used in an SQL Command, affecting the codepeople 'WP Time Slots Booking Form' plugin (CPE cpe:2.3:a:codepeople:wp_time_slots_booking_form). Plugins of this class typically expose AJAX or admin-ajax endpoints to logged-in users for booking lookups and slot availability checks; when user-controlled parameters are concatenated into SQL queries instead of being passed through wpdb->prepare(), Subscriber-authenticated requests can manipulate the WHERE/ORDER BY clauses to extract data from the wp_users or wp_options tables. The Scope:Changed metric (S:C) in the CVSS vector reflects that exploitation reaches WordPress core tables outside the plugin's own data domain.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data - administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-time-slots-booking-form/vulnerability/wordpress-wp-time-slots-booking-form-plugin-1-2-50-sql-injection-vulnerability) for the latest fixed release and upgrade to a version above 1.2.50 as soon as one is published. Until a patched version is confirmed, deactivate the plugin if booking functionality is non-essential, or disable open Subscriber self-registration via Settings > General > Membership to remove the PR:L precondition (trade-off: blocks legitimate new account signups). As a compensating control, deploy a WAF rule (Patchstack, Wordfence, or ModSecurity) targeting SQLi patterns on the plugin's AJAX endpoints, and restrict access to wp-admin/admin-ajax.php for low-privilege roles where feasible (trade-off: may break other plugins that legitimately use Subscriber AJAX calls).

Share

EUVD-2026-36857 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy