CVE-2026-1250: SQL Injection in Court Reservation Plugin

Successful exploitation of CVE-2026-1250 could allow an attacker to bypass authentication and directly query the WordPress database. This could result in the exfiltration of sensitive information such as user credentials (usernames and passwords), customer data (names, addresses, contact details), booking details, and potentially even administrative configurations. The attacker could also modify or delete data within the database, leading to data integrity issues and service disruption. While the plugin itself might not be directly exposed to the public internet, a compromised WordPress site could be used as a launchpad for further attacks on the internal network, expanding the blast radius of the vulnerability.

1. 予約済み2026-01-20
2. 公開日2026-05-12
3. 更新日2026-05-13
4. EPSS 更新日2026-05-14

The primary mitigation for CVE-2026-1250 is to immediately upgrade the Court Reservation plugin to version 1.10.12 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the ‘id’ parameter. Specifically, look for unusual characters or SQL keywords in the parameter value. Additionally, review WordPress security best practices, including limiting user privileges and regularly scanning for vulnerabilities.