The vulnerability is an SQL Injection flaw in the FAT Services Booking WordPress plugin caused by improper handling of special elements in SQL commands (CWE‑89). This weakness allows a malicious actor to inject arbitrary SQL statements through user‑supplied input. The CVE description confirms that such injection is possible, but it does not explicitly state what the attacker can read, modify, or delete; that outcome is inferred from the nature of SQL Injection and the typical privileges of the WordPress database user.

The flaw exists in the roninwp FAT Services Booking plugin for WordPress versions up to and including 5.6. Any site using plugin version 5.6 or older is potentially vulnerable.

The CVSS v3 score of 8.5 classifies the issue as high severity. The EPSS score of < 1 % indicates a low current likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is client‑side, via unauthenticated HTTP requests to the plugin’s database‑access endpoints; this is inferred because the description does not mention authentication requirements. Successful exploitation could enable arbitrary SQL execution against the WordPress database, potentially compromising confidentiality, integrity, or availability of stored data.