Description
WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the space_id parameter. Attackers can send GET requests to the booking-page endpoint with malicious space_id values using AND SLEEP() payloads to extract sensitive database information.
Published: 2026-06-09
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a time‑based SQL injection in the QuanticaLabs Car Park Booking System plugin for WordPress. By submitting a malicious space_id value in a GET request to the booking-page endpoint, an attacker can execute arbitrary SQL statements that are run with the privileges of the WordPress database user. The result is that an unauthenticated visitor can read sensitive data from the database, exposing the site’s confidential information. Based on the description, it is inferred that the plugin does not validate or escape the space_id input, allowing the injection to succeed.

Affected Systems

The affected product is the QuanticaLabs Car Park Booking System WordPress plugin, specifically the release dated 13 October 2017. The flaw exists in that version and in any earlier unpatched releases. Site owners who obtained the plugin from CodeCanyon, the WordPress repository or other third‑party sources should verify the installed version and determine whether a patched release is available.

Risk and Exploitability

The CVSS base score of 8.8 classifies the issue as high severity. The EPSS score is not available, so the current likelihood of exploitation is uncertain; however, the lack of authentication and the ability to confirm the injection with a simple SLEEP() payload suggest that an attacker can readily test for and exploit the flaw. The vulnerability is not listed in the CISA KEV catalog, but the potential for confidential data exposure and possible further attacks create a serious risk for affected sites.

Generated by OpenCVE AI on June 9, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Car Park Booking System plugin to the latest patched version that eliminates the SQL injection flaw.
  • If the plugin cannot be upgraded, restrict the MySQL user credentials used by WordPress to read‑only permissions and block remote access to the booking‑page endpoint via firewall or web server rules.
  • Implement a web application firewall or custom input‑sanitization rule that detects and blocks malicious SQL patterns in the space_id GET parameter.
  • Monitor web server logs for unusual GET requests to the booking‑page that contain SQL control characters or payloads such as SLEEP(), and investigate any suspicious activity.

Generated by OpenCVE AI on June 9, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Quanticalabs
Quanticalabs car Park Booking System
Wordpress
Wordpress wordpress
Vendors & Products Quanticalabs
Quanticalabs car Park Booking System
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the space_id parameter. Attackers can send GET requests to the booking-page endpoint with malicious space_id values using AND SLEEP() payloads to extract sensitive database information.
Title WordPress Car Park Booking Plugin SQL Injection via space_id
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Quanticalabs Car Park Booking System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T14:09:07.662Z

Reserved: 2026-06-08T11:41:41.810Z

Link: CVE-2017-20243

cve-icon Vulnrichment

Updated: 2026-06-09T14:08:38.380Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T13:16:33.967

Modified: 2026-06-09T13:51:18.770

Link: CVE-2017-20243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:20:57Z

Weaknesses