What is CVE-2026-48882?

CVE-2026-48882 is a SQL Injection vulnerability found in the WP Time Slots Booking Form plugin for WordPress, affecting versions up to and including 1.2.50. This vulnerability allows authenticated users with subscriber-level access to inject malicious SQL queries into the database.

How does the SQL Injection vulnerability work?

The vulnerability arises from insufficient sanitization of the ‘cal’ parameter in SQL queries. An attacker can manipulate this parameter to append additional SQL commands, potentially extracting sensitive information from the database.

Who is affected by this vulnerability?

Any WordPress site using the WP Time Slots Booking Form plugin version 1.2.50 or earlier is affected. Specifically, authenticated users with subscriber-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the WP Time Slots Booking Form plugin installed. If it is version 1.2.50 or earlier, your site is at risk.

How can I fix the vulnerability?

To resolve this issue, update the WP Time Slots Booking Form plugin to version 1.2.51 or later, where the vulnerability has been patched. Ensure that your WordPress installation is also up to date.

What does a CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access to sensitive information.

What are the practical risks of this vulnerability?

If exploited, this vulnerability could allow attackers to extract sensitive information such as user passwords and email addresses from the database. It could also enable attackers to modify or delete database records, potentially leading to account takeovers.

What is the proof of concept (PoC) for this vulnerability?

The PoC for CVE-2026-48882 involves sending a specially crafted request with a malicious ‘cal’ parameter to the affected plugin’s endpoint. This request can manipulate the SQL query to extract sensitive data from the database.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the WP Time Slots Booking Form plugin until a patch can be applied. Additionally, review user permissions and limit access to authenticated users.

How can I further secure my WordPress site against SQL Injection?

To enhance security, implement input validation and sanitization for all user inputs, use prepared statements for database queries, and regularly update all plugins and themes to their latest versions.

Where can I find more information about this vulnerability?

More information about CVE-2026-48882 can be found on the National Vulnerability Database (NVD) and security advisories from WordPress security forums and plugin developers.

What steps should I take after updating the plugin?

After updating the plugin, monitor your site for any unusual activities and review logs for any unauthorized access attempts. Regularly back up your database to safeguard against potential data loss.

Published : June 21, 2026

CVE-2026-48882: WP Time Slots Booking Form <= 1.2.50 Authenticated (Subscriber+) SQL Injection PoC, Patch Analysis & Rule

CVE ID CVE-2026-48882

Plugin wp-time-slots-booking-form

Severity Medium (CVSS 6.5)

CWE 89

Vulnerable Version 1.2.50

Patched Version 1.2.51

Disclosed June 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-48882: This vulnerability allows authenticated attackers with subscriber-level access to perform SQL injection in the WP Time Slots Booking Form plugin for WordPress versions up to and including 1.2.50. The CVSS score is 6.5 (Medium).

The root cause is insufficient sanitization of the ‘cal’ parameter used in SQL queries. The vulnerable code is in two files. In cp-main-class.inc.php line 766, the ‘cal’ parameter from GET or POST is assigned directly to $this->item without sanitization: $this->item = $this->get_param(‘cal’). This value is later used in a SQL query in cp-base-class.inc.php line 177: $wpdb->get_results(‘SELECT * FROM ‘.$wpdb->prefix.$this->table_items.’ WHERE id=’.$this->item). The value flows directly into the query without escaping or integer casting.

Exploitation requires authenticated access at the subscriber level or higher. The attacker can send a request with the ‘cal’ parameter containing a SQL injection payload. The vulnerable endpoint is accessed via WordPress admin pages where the plugin’s internal flow triggers the query. An attacker can set the ‘cal’ parameter to something like ‘1 UNION SELECT user_pass FROM wp_users WHERE user_login=’admin’–‘ to extract the admin password hash.

The patch applies intval() to the ‘cal’ parameter value in cp-main-class.inc.php line 767, changing $this->item = $this->get_param(‘cal’) to $this->item = intval($this->get_param(‘cal’)). This ensures only integer values reach the SQL query. The same cast appears in cp-base-class.inc.php line 177. The patch also removes a redundant check in the wizard flow that already had the intval cast.

Successful exploitation allows an attacker to extract sensitive database contents including password hashes, user emails, and other private data stored in the WordPress database. The attacker can also potentially modify or delete database records depending on the database user permissions. Combined with other techniques, this could lead to administrative account takeover.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/wp-time-slots-booking-form/classes/cp-base-class.inc.php
+++ b/wp-time-slots-booking-form/classes/cp-base-class.inc.php
@@ -174,7 +174,7 @@
             $value = (property_exists($this->option_buffered_item, $field) && !empty(@$this->option_buffered_item->$field) ? @$this->option_buffered_item->$field : '');
         else
         {
-           $myrows = $wpdb->get_results( "SELECT * FROM ".$wpdb->prefix.$this->table_items." WHERE id=".$this->item );
+           $myrows = $wpdb->get_results( "SELECT * FROM ".$wpdb->prefix.$this->table_items." WHERE id=".intval($this->item) );
            if (count($myrows))
            {
                $value = @$myrows[0]->$field;
--- a/wp-time-slots-booking-form/cp-main-class.inc.php
+++ b/wp-time-slots-booking-form/cp-main-class.inc.php
@@ -14,6 +14,7 @@
     private $include_user_data_csv = false;
     public $CP_CFPP_global_templates;
     private $old_css_placeholder = '/* Styles definition here */';
+    private $postURL;

     protected $paid_statuses = array('Pending','Cancelled','Rejected');
     public $shorttag = 'CP_TIME_SLOTS_BOOKING';
@@ -762,7 +763,7 @@
         }
         else if ($this->get_param("cal") || $this->get_param("cal") == '0' || $this->get_param("pwizard") == '1')
         {
-            $this->item = $this->get_param("cal");
+            $this->item = intval($this->get_param("cal"));
             if (isset($_GET["edit"]) && $_GET["edit"] == '1')
                 @include_once dirname( __FILE__ ) . '/cp_admin_int_edition.inc.php';
             else if ($this->get_param("schedule") == '1')
@@ -774,11 +775,7 @@
             else if ($this->get_param("addbk") == '1')
                 @include_once dirname( __FILE__ ) . '/cp-admin-int-add-booking.inc.php';
             else if ($this->get_param("pwizard") == '1')
-            {
-                if ($this->get_param("cal"))
-                    $this->item = intval($this->get_param("cal"));
                 @include_once dirname( __FILE__ ) . '/cp-publish-wizzard.inc.php';
-            }
             else
                 @include_once dirname( __FILE__ ) . '/cp-admin-int.inc.php';
         }
@@ -955,7 +952,10 @@
         {
             $this->verify_nonce ( sanitize_text_field($_POST["anonce"]), 'cptslotsb_actions_wizard');
             $shortcode = '['.$this->shorttag.'  id="'.$this->item .'"]';
-            $this->postURL = $this->publish_on( sanitize_text_field($_POST["whereto"]), sanitize_text_field($_POST["publishpage"]), sanitize_text_field($_POST["publishpost"]), $shortcode, sanitize_text_field($_POST["posttitle"]));
+            $publishpage = '';
+            if (isset($_POST["publishpage"]))
+                $publishpage = sanitize_text_field($_POST["publishpage"]);
+            $this->postURL = $this->publish_on( sanitize_text_field($_POST["whereto"]), $publishpage, sanitize_text_field($_POST["publishpost"]), $shortcode, sanitize_text_field($_POST["posttitle"]));
             return;
         }

--- a/wp-time-slots-booking-form/wp-time-slots-booking-plugin.php
+++ b/wp-time-slots-booking-form/wp-time-slots-booking-plugin.php
@@ -3,7 +3,7 @@
 Plugin Name: WP Time Slots Booking Form
 Plugin URI: https://wptimeslot.dwbooster.com/
 Description: Time Slots / Appointment Booking Plugin for WordPress
-Version: 1.2.50
+Version: 1.2.51
 Author: CodePeople
 Author URI: https://wptimeslot.dwbooster.com/
 License: GPLv2

Frequently Asked Questions

What is CVE-2026-48882?
Understanding the vulnerability
CVE-2026-48882 is a SQL Injection vulnerability found in the WP Time Slots Booking Form plugin for WordPress, affecting versions up to and including 1.2.50. This vulnerability allows authenticated users with subscriber-level access to inject malicious SQL queries into the database.
How does the SQL Injection vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient sanitization of the ‘cal’ parameter in SQL queries. An attacker can manipulate this parameter to append additional SQL commands, potentially extracting sensitive information from the database.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the WP Time Slots Booking Form plugin version 1.2.50 or earlier is affected. Specifically, authenticated users with subscriber-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the WP Time Slots Booking Form plugin installed. If it is version 1.2.50 or earlier, your site is at risk.
How can I fix the vulnerability?
Applying the patch
To resolve this issue, update the WP Time Slots Booking Form plugin to version 1.2.51 or later, where the vulnerability has been patched. Ensure that your WordPress installation is also up to date.
What does a CVSS score of 6.5 mean?
Understanding severity levels
A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access to sensitive information.
What are the practical risks of this vulnerability?
Potential consequences
If exploited, this vulnerability could allow attackers to extract sensitive information such as user passwords and email addresses from the database. It could also enable attackers to modify or delete database records, potentially leading to account takeovers.
What is the proof of concept (PoC) for this vulnerability?
Demonstrating the exploit
The PoC for CVE-2026-48882 involves sending a specially crafted request with a malicious ‘cal’ parameter to the affected plugin’s endpoint. This request can manipulate the SQL query to extract sensitive data from the database.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the WP Time Slots Booking Form plugin until a patch can be applied. Additionally, review user permissions and limit access to authenticated users.
How can I further secure my WordPress site against SQL Injection?
Best practices for security
To enhance security, implement input validation and sanitization for all user inputs, use prepared statements for database queries, and regularly update all plugins and themes to their latest versions.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-48882 can be found on the National Vulnerability Database (NVD) and security advisories from WordPress security forums and plugin developers.
What steps should I take after updating the plugin?
Post-update actions
After updating the plugin, monitor your site for any unusual activities and review logs for any unauthorized access attempts. Regularly back up your database to safeguard against potential data loss.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations