CVE-2017-20243
Deferred Deferred - Pending Action
Time-Based SQL Injection in WordPress Car Park Booking Plugin

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulnCheck

Description
WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the space_id parameter. Attackers can send GET requests to the booking-page endpoint with malicious space_id values using AND SLEEP() payloads to extract sensitive database information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2017-20243
EUVD
EUVD-2017-18969
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
ktlabs-dev car_park_booking_wordpress_plugin to 1.0 (inc)
ktlabs-dev car_park_booking_wordpress_plugin From 1.0 (inc)
wordpress car_park_booking_plugin 13
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2017-20243 is a time-based SQL injection vulnerability found in the WordPress Car Park Booking Plugin version 1.0 or earlier. It allows unauthenticated attackers to inject malicious SQL code through the space_id parameter in GET requests to the booking-page endpoint.

Attackers exploit this by sending specially crafted requests containing payloads like AND SLEEP(), which cause the database to delay its response if certain conditions are true. This technique enables attackers to extract sensitive information from the database by observing response times.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform SQL injection attacks that can extract sensitive information from the database. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access.

By enabling attackers to access or manipulate sensitive data, the vulnerability increases the risk of data breaches, which can result in legal and financial penalties under these regulations.

Mitigation Strategies

To mitigate the SQL injection vulnerability in the WordPress Car Park Booking Plugin, you should immediately update the plugin to the latest version that addresses this issue.

If an update is not yet available, consider temporarily disabling the plugin or restricting access to the booking-page endpoint to trusted users only.

Additionally, implement web application firewall (WAF) rules to detect and block malicious SQL injection payloads targeting the space_id parameter.

Monitor your web server logs for suspicious GET requests containing SQL injection patterns such as AND SLEEP() payloads.

Impact Analysis

This vulnerability can have significant impacts including unauthorized access to sensitive database information. Attackers can manipulate database queries without authentication, potentially extracting confidential data.

Because the vulnerability allows data extraction through time-based SQL injection, it can lead to data breaches, loss of user privacy, and compromise of the integrity of the booking system.

The CVSS score of 8.8 indicates a high severity risk, meaning the vulnerability poses a serious threat to the security of affected systems.

Detection Guidance

This vulnerability can be detected by sending crafted GET requests to the booking-page endpoint with malicious payloads in the space_id parameter to observe time delays caused by SQL injection.

  • Use a command like: curl "http://<target>/booking-page?space_id=9 AND SLEEP(5)" and check if the response is delayed by approximately 5 seconds, indicating a time-based SQL injection.
  • Monitor network traffic for unusual GET requests to the booking-page endpoint containing suspicious SQL payloads such as AND SLEEP().
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2017-20243. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart