What the vulnerability does
01Description
WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the space_id parameter. Attackers can send GET requests to the booking-page endpoint with malicious space_id values using AND SLEEP() payloads to extract sensitive database information.
Explanation of Vulnerability in Simple Terms
02Summary
The Car Park Booking System contains a SQL injection vulnerability in its input handling. An attacker on the network can craft malicious input to execute arbitrary SQL commands against the database without authentication. This allows reading or modifying booking records and other sensitive data stored in the system.
What an attacker can do
03Attacker Capabilities
Execute SQL commands to read or modify database records without authentication.
Potential impact on your site
04Site Impact
Attackers can access, modify, or delete booking data and other database contents without logging in.
Conditions required to exploit
05Prerequisites
Network access to the Car Park Booking System; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 9, 2026
CVE published
June 9, 2026
Record updated