Description
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'month' parameter in all versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-12-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Database compromise via SQL injection
Action: Apply Patch
AI Analysis

Impact

VikRentCar Car Rental Management System is vulnerable to a time‑based blind SQL injection through the 'month' parameter in all releases up to 1.4.4. The flaw stemmed from insufficient escaping and the lack of prepared statements, producing a classic SQL injection (CWE‑89). An authenticated attacker with Administrator privileges can append arbitrary SQL statements to the existing query, allowing extraction of sensitive data from the database. The injection being blind means the attacker must rely on timing or error responses to confirm success, yet the data exposed can be critical for further compromise or exfiltration.

Affected Systems

All installations of VikRentCar Car Rental Management System for WordPress with version 1.4.4 or earlier are affected. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score of less than 1 % suggests exploitation is unlikely at present. The vulnerability is not listed in CISA KEV. The attack requires authenticated Administrator access; therefore, risk is markedly higher for sites with compromised credentials or exposed administrative interfaces, while the overall likelihood of exploitation remains low to moderate.

Generated by OpenCVE AI on April 22, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade VikRentCar to version 1.4.5 or newer to remove the unescaped 'month' parameter
  • Restrict administrator access to trusted accounts, enforce strong passwords and two‑factor authentication
  • Apply input validation or parameterized queries to the 'month' parameter in custom code until the official fix is applied
  • Monitor database logs for suspicious SQL activity and rotate database credentials regularly

Generated by OpenCVE AI on April 22, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Dec 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared E4j
E4j vikrentcar Car Rental Management System
Wordpress
Wordpress wordpress
Vendors & Products E4j
E4j vikrentcar Car Rental Management System
Wordpress
Wordpress wordpress

Tue, 02 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'month' parameter in all versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title VikRentCar Car Rental Management System <= 1.4.4 - Authenticated (Author+) SQL Injection via 'month' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

E4j Vikrentcar Car Rental Management System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:43.531Z

Reserved: 2025-11-25T22:27:24.607Z

Link: CVE-2025-13724

cve-icon Vulnrichment

Updated: 2025-12-02T14:41:35.768Z

cve-icon NVD

Status : Deferred

Published: 2025-12-02T09:15:47.563

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13724

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses