CVE-2026-48882

Vulnerability

A subscriber-level SQL injection vulnerability exists in the WP Time Slots Booking Form plugin for WordPress, affecting all versions up to and including 1.2.50. The flaw allows an authenticated user with subscriber privileges to inject arbitrary SQL statements into database queries, bypassing input sanitization. [1]

Exploitation

An attacker needs only a valid WordPress subscriber account to exploit this vulnerability. By sending specially crafted input to vulnerable endpoints, the attacker can inject malicious SQL code that is executed against the site's database. No additional privileges or user interaction beyond the subscriber role are required. [1]

Impact

Successful exploitation enables the attacker to directly interact with the WordPress database, leading to the exfiltration of sensitive data such as user credentials, personal information, and site configuration. The CVSS v3 base score is 8.5 (High), and the vulnerability is considered highly dangerous, with active mass-exploit campaigns expected. [1]

Mitigation

The vendor has released version 1.2.51 which fixes the SQL injection. All users are advised to update immediately. If updating is not possible, applying a virtual patch or mitigation rule (e.g., from Patchstack) can block attacks until the update is applied. Hosting providers or web developers may assist with workarounds. [1]