VYPR
← All advisories
High severity8.2NVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2017-20243

CVE-2017-20243

Description

WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the space_id parameter. Attackers can send GET requests to the booking-page endpoint with malicious space_id values using AND SLEEP() payloads to extract sensitive database information.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application does not properly sanitize the space_id parameter before using it in database queries, allowing for SQL injection."

Attack vector

An unauthenticated attacker can exploit this vulnerability by sending a GET request to the booking-page endpoint. The request must include a malicious value in the `space_id` parameter, such as `9 AND SLEEP(5)`. This payload manipulates the database query, causing a time delay that indicates successful injection and allows for data extraction [ref_id=1].

Affected code

The vulnerability exists in the WordPress Car Park Booking Plugin, specifically related to the handling of the `space_id` parameter within the booking-page endpoint. The exploit details indicate that this parameter is directly incorporated into SQL queries without sufficient sanitization [ref_id=1].

What the fix does

The advisory does not provide details on a specific patch or fix. It is recommended that users update to a version of the plugin that addresses this vulnerability. The core issue lies in the lack of input sanitization for the `space_id` parameter, which should be validated and escaped before being used in SQL queries.

Preconditions

  • authThe attacker does not require any authentication.
  • inputThe `space_id` parameter must be controllable by the attacker.

Reproduction

SQLi:

https://localhost/[path]/booking-page/?step=3&space_id=9 AND SLEEP(5)&re_price=12

Parameter: space_id (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: step=3&space_id=9 AND SLEEP(5)&re_price=12 [ref_id=1]

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.