CVE-2026-48882: WordPress WP Time Slots Booking Form plugin <= 1.2.50 - SQL Injection vulnerability
Subscriber SQL Injection in WP Time Slots Booking Form <= 1.2.50 versions.
Metrics
- CVSS v3.1
- 8.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
SQL injection vulnerability in the WP Time Slots Booking Form WordPress plugin (versions 1.2.50 and earlier) allows a network-based attacker with a low-privilege subscriber account to inject malicious SQL into database queries. No authentication beyond a basic subscriber role is needed, and the scope extends beyond the vulnerable component itself. Successful exploitation gives the attacker read access to sensitive database contents and can degrade service availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin. Any image at or below version 1.2.50 is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 8.5 HIGH and weights it against each customer environment's compliance policy to determine urgency and routing. The resulting alert is directed to the team or inbox configured for that workload inside each customer organization.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available immediately once the upstream fix is released. For customers who opt into auto-remediation, that rebuild will trigger a regression run and a PR opened against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS.
- AuthenticationRequired
A low-privilege subscriber account is sufficient; no administrator or elevated role is needed to trigger the injection.
- Victim interactionNot required
The attack is fully server-side and does not require any action from another user or administrator.
- Attack complexityDetail
Exploit reliability is high: no race conditions, special memory layout, or environmental preconditions are required beyond network access and valid credentials.
Blast Radius
- Reads arbitrary database rows, including stored user credentials, session tokens, booking records, and any personal data held in the WordPress database.
- The changed scope (S:C) means impact can extend beyond the WordPress database itself to other data accessible by the database user account.
- Causes partial availability degradation of the affected service, consistent with the A:L CVSS token, meaning the booking form or broader WordPress site may become slow or intermittently unresponsive.
How HarborGuard Handles This
Available on HarborGuard: this CVE is monitored on every ingest cycle because no upstream fix exists yet. In the meantime, customers can apply compensating controls through HarborGuard policy rules, such as network-policy isolation that restricts which services can reach the WordPress container, egress filtering to limit database lateral movement, or a web-application firewall rule set to block SQL injection patterns at the ingress layer. Where compliance policy permits, these control suggestions surface automatically in the triage workflow. The moment an upstream patch is published, a patched-image rebuild will become available, and customers with auto-remediation enabled will receive a rebuilt image, a regression test run, and a PR opened against affected workloads, typically within approximately 90 minutes of CVE publication for high-severity issues once a fix version exists.
- codepeople / WP Time Slots Booking Form≤ 1.2.50
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L