Improper neutralization of special elements in SQL statements allows an attacker to inject arbitrary SQL through the Advance Seat Reservation Management for WooCommerce plugin. The flaw, identified as CWE‑89, can lead to unauthorized data exposure, modification, and potentially the execution of arbitrary commands if database permissions are permissive. The vulnerability is present in all releases up to and including version 3.1.

The affected product is the WordPress plugin Advance Seat Reservation Management for WooCommerce (scw‑seat‑reservation) from smartcms. All installations using version 3.1 or earlier are impacted. No specific patch version is listed, so the issue applies broadly to this release line.

The CVSS score of 9.3 places the flaw in the high‑severity range. The EPSS score of less than 1% indicates a low probability of exploitation in the current threat environment, and the vulnerability is not yet recorded in the CISA KEV catalog. The likely attack vector is through user-supplied input in the reservation or booking functionality, which may be accessible to authenticated or unauthenticated users depending on the site configuration. Proper input validation or parameterized queries would mitigate the risk, but an attacker could feasibly submit malicious payloads to the plugin’s database queries.