CVE-2017-20243

HIGH

WordPress Car Park Booking Plugin SQL Injection via space_id

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-20243. PoCs published by 8bitsec.

AI-analyzed exploit summary The exploit demonstrates a time-based blind SQL injection vulnerability in the WordPress Car Park Booking plugin via the 'space_id' parameter. The PoC includes a crafted URL that triggers a 5-second delay using SLEEP(5), confirming the vulnerability.

Description

WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the space_id parameter. Attackers can send GET requests to the booking-page endpoint with malicious space_id values using AND SLEEP() payloads to extract sensitive database information.

Exploits (1)

exploitdb WORKING POC

by 8bitsec · textwebappsphp

https://www.exploit-db.com/exploits/43012

View Code ZIP pw:eip

The exploit demonstrates a time-based blind SQL injection vulnerability in the WordPress Car Park Booking plugin via the 'space_id' parameter. The PoC includes a crafted URL that triggers a 5-second delay using SLEEP(5), confirming the vulnerability.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Car Park Booking WordPress Plugin (version 13 October 17)

No auth needed

Prerequisites: WordPress installation with vulnerable plugin · Access to the booking page URL

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Jun 09, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-43012

https://www.exploit-db.com/exploits/43012

Product product

Official Product Homepage

https://codecanyon.net/item/car-park-booking-wordpress-plugin/20284035

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Car Park Booking Plugin SQL Injection via space_id

https://www.vulncheck.com/advisories/wordpress-car-park-booking-plugin-sql-injection-via-space-id

Scores

CVSS v3 8.2

EPSS 0.0026

EPSS Percentile 17.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

QuanticaLabs/Car Park Booking System 1.0

Published Jun 09, 2026

Tracked Since Jun 09, 2026