{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-1250/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-1250"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["The Court Reservation – Manage Your Court Bookings Online plugin for WordPress \u003c= 1.10.11"],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","plugin","CVE-2026-1250","web-application"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2026-1250 identifies a SQL injection vulnerability affecting the Court Reservation – Manage Your Court Bookings Online plugin for WordPress, impacting all versions up to and including 1.10.11. The vulnerability stems from insufficient escaping of the user-supplied \u0026lsquo;id\u0026rsquo; parameter within SQL queries, coupled with a lack of adequate preparation of these queries. This flaw allows unauthenticated attackers to inject arbitrary SQL commands into existing queries, potentially leading to the extraction of sensitive data from the WordPress database. This vulnerability poses a significant risk to website owners using the affected plugin, as attackers could gain access to user credentials, financial information, or other confidential data stored within the database.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website using a vulnerable version (\u0026lt;= 1.10.11) of the Court Reservation plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the \u0026lsquo;id\u0026rsquo; parameter (e.g., a page or API endpoint that displays court reservation details).\u003c/li\u003e\n\u003cli\u003eThe attacker injects SQL code into the \u0026lsquo;id\u0026rsquo; parameter within the HTTP request. For example, \u003ccode\u003eid=1' OR '1'='1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe WordPress application processes the request, passing the unsanitized \u0026lsquo;id\u0026rsquo; parameter to the vulnerable SQL query.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed within the database context, potentially modifying the query\u0026rsquo;s original intent.\u003c/li\u003e\n\u003cli\u003eThe attacker uses SQL injection techniques like \u003ccode\u003eUNION SELECT\u003c/code\u003e to extract sensitive data from other database tables, such as user credentials or configuration information.\u003c/li\u003e\n\u003cli\u003eThe database returns the results of the modified query, which now includes the attacker-requested data.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the extracted sensitive information from the HTTP response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-1250) allows unauthenticated attackers to access sensitive information stored in the WordPress database. This can include user credentials (usernames, passwords, email addresses), personal information, and potentially financial data if stored in the database. The impact can range from account compromise and identity theft to data breaches and financial loss. Given the widespread use of WordPress and its plugins, a successful exploit could affect a significant number of websites and their users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Court Reservation – Manage Your Court Bookings Online plugin to the latest version, which contains a patch for CVE-2026-1250.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WordPress Court Reservation Plugin SQL Injection (CVE-2026-1250)\u0026rdquo; to detect exploitation attempts targeting the vulnerable \u0026lsquo;id\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to filter out requests containing potentially malicious SQL injection payloads in the \u0026lsquo;id\u0026rsquo; parameter.\u003c/li\u003e\n\u003cli\u003eReview WordPress database logs for suspicious queries containing SQL injection syntax.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T23:17:36Z","date_published":"2026-05-12T23:17:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-court-reservation-sqli/","summary":"The Court Reservation – Manage Your Court Bookings Online plugin for WordPress versions 1.10.11 and earlier are vulnerable to SQL injection via the 'id' parameter, enabling unauthenticated attackers to extract sensitive database information.","title":"WordPress Court Reservation Plugin SQL Injection Vulnerability (CVE-2026-1250)","url":"https://feed.craftedsignal.io/briefs/2026-05-wordpress-court-reservation-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-1250","version":"https://jsonfeed.org/version/1.1"}