CVE-2025-39355

Vulnerability

Overview An SQL Injection vulnerability exists in the FAT Services Booking WordPress plugin, versions from n/a through 5.6. The plugin fails to properly neutralize special elements in SQL commands, allowing attackers to inject malicious SQL queries. This issue is cataloged as CVE-2025-39355 with a CVSS score of 8.5 (High) [1].

Exploitation

Details The vulnerability can be exploited without authentication, meaning any remote attacker can send crafted HTTP requests to the vulnerable plugin endpoint. The attack surface is wide as the plugin is used on numerous WordPress sites. Given the simplicity of exploitation, this vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites indiscriminately [1].

Impact

Successful exploitation allows an attacker to directly interact with the underlying database. This could lead to data theft, including sensitive information such as user credentials, personal data, and other stored content. Depending on the database configuration, attackers might also modify or delete data, potentially leading to site compromise or defacement [1].

Mitigation

The vendor has released a fix in a patched version. Users are strongly advised to update the FAT Services Booking plugin to version 5.7 or later immediately. If unable to update, site administrators should contact their hosting provider or a web developer for assistance. Given the high severity and active exploitation potential, this vulnerability has been flagged as high risk [1].