CVE-2025-31910: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2025-31910) was discovered in the BookingPress WordPress plugin affecting versions up to and including 1.1.28. The vulnerability was disclosed on April 1, 2025, and was identified by researcher Phat RiO from BlueRock. The issue stems from improper neutralization of special elements used in SQL commands within the plugin (WPScan, Patchstack).

The vulnerability is classified as an SQL Injection (CWE-89) that occurs due to insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. The vulnerability has received a CVSS v3.1 base score of 7.6 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L. This indicates that while the vulnerability requires high privileges to exploit, it can potentially lead to significant data exposure (NVD).

The vulnerability allows authenticated attackers with administrator-level access to append additional SQL queries to existing ones, potentially enabling the extraction of sensitive information from the database. The high CVSS score particularly reflects the potential for significant confidentiality impact and some availability impact to the affected systems (WPScan).

As of the vulnerability disclosure, no official fix has been made available for this security issue. Users of the BookingPress plugin versions 1.1.28 and below should consider implementing additional security controls and monitoring database access patterns until a patch is released (Patchstack).