Description
The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-05-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a generic SQL injection that occurs when an unauthenticated attacker supplies a crafted value in the id parameter of the Court Reservation plugin. The insufficient escaping and lack of prepared statements allow the attacker to append additional SQL statements to the original query, giving them the ability to read or otherwise retrieve sensitive data stored in the WordPress database. This flaw directly maps to CWE‑89 and can result in information disclosure if the attack succeeds.

Affected Systems

The flaw affects the Court Reservation – Manage Your Court Bookings Online WordPress plugin from the vendor webmuehle, in all releases up to and including version 1.10.11. Any site using a legacy version of this plugin is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered high severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog. Attackers can exploit the flaw without authentication by sending a request containing a malicious id value to the plugin’s public endpoint, thereby gaining read access to the database through the injected SQL.

Generated by OpenCVE AI on May 12, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Court Reservation plugin to version 1.10.12 or later.
  • If an upgrade cannot be performed, enforce numeric input on the id parameter and escape it explicitly before inclusion in any SQL query.
  • Deploy a Web Application Firewall rule that blocks requests containing typical SQL injection payloads targeting the id parameter

Generated by OpenCVE AI on May 12, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Court Reservation – Manage Your Court Bookings Online <= 1.10.11 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-13T00:18:21.599Z

Reserved: 2026-01-20T18:59:57.890Z

Link: CVE-2026-1250

cve-icon Vulnrichment

Updated: 2026-05-13T00:18:12.014Z

cve-icon NVD

Status : Received

Published: 2026-05-12T23:16:16.803

Modified: 2026-05-12T23:16:16.803

Link: CVE-2026-1250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:30:26Z

Weaknesses