CVE-2017-20243 HIGH

CVE-2017-20243: WordPress Car Park Booking Plugin SQL Injection via space_id

Vendor Quanticalabs
Product Car Park Booking System
Weakness CWE-89 · SQLi
Published June 9, 2026
Last update June 9, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the space_id parameter. Attackers can send GET requests to the booking-page endpoint with malicious space_id values using AND SLEEP() payloads to extract sensitive database information.

Explanation of Vulnerability in Simple Terms

02Summary

The Car Park Booking System contains a SQL injection vulnerability in its input handling. An attacker on the network can craft malicious input to execute arbitrary SQL commands against the database without authentication. This allows reading or modifying booking records and other sensitive data stored in the system.

What an attacker can do

03Attacker Capabilities

Execute SQL commands to read or modify database records without authentication.

Potential impact on your site

04Site Impact

Attackers can access, modify, or delete booking data and other database contents without logging in.

Conditions required to exploit

05Prerequisites

Network access to the Car Park Booking System; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 9, 2026 CVE published
June 9, 2026 Record updated

Related vulnerabilities

08Related CVE