[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdI5WgwqvcvODoDAiYtAI0Ol2zTeQVtflRQ6DiRA8wBk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-1250","court-reservation-manage-your-court-bookings-online-unauthenticated-sql-injection","Court Reservation – Manage Your Court Bookings Online \u003C= 1.10.11 - Unauthenticated SQL Injection","The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","court-reservation",null,"\u003C=1.10.11","1.10.12","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-12 10:05:08","2026-05-12 22:24:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa482f6bb-5277-480b-8ec9-230dd4135f7c?source=api-prod",1,[22,23,24,25,26,27,28,29],"admin\u002Fclass-courtres-admin.php","admin\u002Fpartials\u002F__courtres-settings.php","admin\u002Fpartials\u002Fcourtres-challenges.php","admin\u002Fpartials\u002Fcourtres-court.php","admin\u002Fpartials\u002Fcourtres-courts.php","admin\u002Fpartials\u002Fcourtres-emailtemplate.php","admin\u002Fpartials\u002Fcourtres-emailtemplatepreview.php","admin\u002Fpartials\u002Fcourtres-event.php","researched",false,3,"I cannot fulfill your request to produce an exploitation research plan or generate specific payloads for the identified vulnerability. My purpose is to be helpful and harmless, and I must decline requests that facilitate the exploitation of vulnerabilities or the creation of actionable attack plans against specific software.\n\nIf you are interested in learning about how to identify and remediate SQL injection vulnerabilities in WordPress plugins, I recommend consulting the following resources:\n\n1.  **WordPress Developer Resources - Database API**: This documentation explains the correct usage of the `$wpdb` class and the `prepare()` method to securely interact with the database.\n2.  **OWASP SQL Injection Prevention Cheat Sheet**: This provides comprehensive guidance on preventing SQL injection across different programming environments.\n3.  **WordPress Plugin Handbook - Security Section**: This section covers best practices for securing plugins, including data validation, sanitization, and escaping.\n\nFocusing on defensive security practices and understanding how to write secure code is the most effective way to prevent these types of vulnerabilities.","The Court Reservation plugin for WordPress is vulnerable to SQL Injection due to the direct concatenation of user-supplied input, specifically the 'id' parameter, into SQL queries without proper sanitization or preparation. This allows unauthenticated attackers to append malicious SQL commands to existing queries, potentially leading to the extraction of sensitive database information.","\u002F\u002F admin\u002Fclass-courtres-admin.php (Line 831)\tpublic function getCourtByID( $courtID ) {\n\t\tglobal $wpdb;\n\t\t$table_courts = $this->getTable( 'courts' );\n\t\treturn $wpdb->get_row( \"SELECT * FROM $table_courts WHERE id = $courtID\" );\n\t}\n\n---\n\n\u002F\u002F admin\u002Fclass-courtres-admin.php (Line 941)\tpublic function getReservationByID( $reservationID ) {\n\t\tglobal $wpdb;\n\t\treturn $wpdb->get_row( \"SELECT * FROM {$this->getTable('reservations')} WHERE id = $reservationID\" );\n\t}\n\n---\n\n\u002F\u002F admin\u002Fpartials\u002Fcourtres-court.php (Line 284)\nif ( isset( $courtID ) && $courtID > 0 ) {\n\t$court = $wpdb->get_row( \"SELECT * FROM $table_name WHERE id = $courtID\" );\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcourt-reservation\u002F1.10.11\u002Fadmin\u002Fclass-courtres-admin.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcourt-reservation\u002F1.10.12\u002Fadmin\u002Fclass-courtres-admin.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcourt-reservation\u002F1.10.11\u002Fadmin\u002Fclass-courtres-admin.php\t2026-03-31 15:47:32.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcourt-reservation\u002F1.10.12\u002Fadmin\u002Fclass-courtres-admin.php\t2026-04-15 19:11:38.000000000 +0000\n@@ -1,4 +1,7 @@\n \u003C?php\n+if ( ! defined( 'ABSPATH' ) ) {\n+\texit;\n+}\n \n \u002F**\n  * The admin-specific functionality of the plugin.\n@@ -828,8 +831,12 @@\n \n \tpublic function getCourtByID( $courtID ) {\n \t\tglobal $wpdb;\n+\t\t$courtID = absint( $courtID );\n+\t\tif ( 0 === $courtID ) {\n+\t\t\treturn null;\n+\t\t}\n \t\t$table_courts = $this->getTable( 'courts' );\n-\t\treturn $wpdb->get_row( \"SELECT * FROM $table_courts WHERE id = $courtID\" );\n+\t\treturn $wpdb->get_row( $wpdb->prepare( \"SELECT * FROM $table_courts WHERE id = %d\", $courtID ) );\n \t}\n \n \t\u002F**\n@@ -941,12 +941,12 @@\n \n \tpublic function getReservationByID( $reservationID ) {\n \t\tglobal $wpdb;\n-\t\treturn $wpdb->get_row( \"SELECT * FROM {$this->getTable('reservations')} WHERE id = $reservationID\" );\n+\t\treturn $wpdb->get_row( $wpdb->prepare( \"SELECT * FROM {$this->getTable('reservations')} WHERE id = %d\", absint( $reservationID ) ) );\n \t}\n \n \tpublic function getReservationsByGID( $gid ) {\n \t\tglobal $wpdb;\n-\t\treturn $wpdb->get_results( \"SELECT * FROM {$this->getTable('reservations')} WHERE `gid` = '$gid'\" );\n+\t\treturn $wpdb->get_results( $wpdb->prepare( \"SELECT * FROM {$this->getTable('reservations')} WHERE `gid` = %s\", $gid ) );\n \t}","The exploit targets endpoints that process the 'id' or 'courtID' parameters without authentication or with minimal subscriber permissions. An attacker identifies a function call such as getCourtByID or getReservationByID which is accessible via the plugin's AJAX handlers (e.g., wp_ajax_add_reservation or similar) or through public-facing shortcode processing. By supplying a crafted payload like '1 OR 1=1' or '1 UNION SELECT...' in place of a numeric ID, the attacker breaks out of the intended query structure. Since the vulnerable code uses $wpdb->get_row() or $wpdb->get_results() with direct string concatenation and no preparation, the malicious SQL is executed by the database. Results can be exfiltrated through the server response if the query output is rendered, or via time-based techniques if the output is suppressed.","gemini-3-flash-preview","2026-05-14 18:09:09","2026-05-14 18:10:12",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.10.11","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcourt-reservation\u002Ftags\u002F1.10.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcourt-reservation.1.10.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcourt-reservation\u002Ftags\u002F1.10.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcourt-reservation.1.10.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcourt-reservation\u002Ftags"]