Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Bus Ticket Booking with Seat Reservation for WooCommerce scw-bus-seat-reservation allows SQL Injection.This issue affects Bus Ticket Booking with Seat Reservation for WooCommerce: from n/a through <= 1.7.
Published: 2025-05-23
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of special elements in an SQL command allows attackers to inject arbitrary SQL statements into the Bus Ticket Booking with Seat Reservation for WooCommerce plugin. This flaw can enable data exfiltration, modification, or deletion, and depending on the database configuration, may lead to escalation of privileges or execution of additional malicious code. The weakness is a classic SQL Injection (CWE-89) and carries the potential to undermine the confidentiality, integrity, and availability of the underlying data store.

Affected Systems

The affected plugin is Bus Ticket Booking with Seat Reservation for WooCommerce by smartcms, versions from the earliest release up to and including 1.7. No specific revision numbers are listed, but all releases 1.7 and earlier are vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity, while the EPSS score is below 1%, suggesting low probability of detection or widespread exploitation currently. It is not listed in the CISA KEV catalog. Attackers can likely exploit the flaw remotely by sending crafted requests to the plugin’s endpoints; authentication requirements are not specified, so both authenticated and unauthenticated scenarios are possible. The lack of immediate exploitation evidence means the risk is contingent on the opportunity to discover the vulnerable endpoints.

Generated by OpenCVE AI on April 30, 2026 at 18:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade to version 1.8 or higher of the Bus Ticket Booking with Seat Reservation for WooCommerce plugin
  • If upgrade is not immediately feasible, disable or remove the plugin to block the vulnerable code from being executed
  • Implement strict input validation and parameterized queries in any custom code that interacts with the plugin’s database tables
  • Configure the database user account with the minimum required privileges to limit the impact of potential injection attempts
  • Deploy a web application firewall that filters out suspicious SQL patterns and monitors for anomaly detection

Generated by OpenCVE AI on April 30, 2026 at 18:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27803 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Bus Ticket Booking with Seat Reservation for WooCommerce allows SQL Injection. This issue affects Bus Ticket Booking with Seat Reservation for WooCommerce: from n/a through 1.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Bus Ticket Booking with Seat Reservation for WooCommerce allows SQL Injection. This issue affects Bus Ticket Booking with Seat Reservation for WooCommerce: from n/a through 1.7. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Bus Ticket Booking with Seat Reservation for WooCommerce scw-bus-seat-reservation allows SQL Injection.This issue affects Bus Ticket Booking with Seat Reservation for WooCommerce: from n/a through <= 1.7.
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Bus Ticket Booking with Seat Reservation for WooCommerce allows SQL Injection. This issue affects Bus Ticket Booking with Seat Reservation for WooCommerce: from n/a through 1.7.
Title WordPress Bus Ticket Booking with Seat Reservation for WooCommerce plugin <= 1.7 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:06.488Z

Reserved: 2025-03-28T10:59:36.420Z

Link: CVE-2025-31397

cve-icon Vulnrichment

Updated: 2025-05-23T13:22:05.886Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:26.893

Modified: 2026-04-23T15:27:45.173

Link: CVE-2025-31397

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:00:14Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')