A high-severity vulnerability has been identified in the VikRentCar Car Rental Management System plugin for WordPress. This flaw allows an unauthenticated attacker to extract sensitive information from the website's database, potentially exposing customer data, user credentials, and other confidential business information. Immediate patching is required to prevent potential data breaches.

The vulnerability is a time-based blind SQL Injection. An attacker can send specially crafted SQL queries embedded within the 'month' parameter of a request to the plugin. The application fails to properly sanitize this input before using it in a database query, allowing the attacker's malicious SQL to be executed. By injecting commands that cause the database to pause (e.g., SLEEP()) based on true/false conditions, the attacker can infer the contents of the database one character at a time by measuring the server's response time. This technique does not require authentication and can be used to systematically exfiltrate the entire database.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a complete compromise of the database's confidentiality. The business impact includes the potential theft of sensitive customer data (names, contact information, booking details), hashed user passwords, and other proprietary information. Such a data breach could result in significant financial loss, regulatory penalties (e.g., under GDPR or CCPA), reputational damage, and a loss of customer trust.

Immediate Action:

• Immediately update the VikRentCar Car Rental Management System plugin to the latest patched version provided by the vendor.
• If the plugin is no longer necessary for business operations, it should be deactivated and removed entirely to eliminate the attack surface.
• Review WordPress security settings to ensure best practices are followed, such as limiting user permissions and enforcing strong passwords.

Proactive Monitoring:

• Monitor web server access logs for unusual requests targeting the plugin, specifically looking for long strings or SQL commands like SLEEP, BENCHMARK, or WAITFOR within the 'month' parameter.
• Monitor database logs for abnormally long-running queries, which can be an indicator of a time-based SQL injection attempt.
• Utilize a Web Application Firewall (WAF) to detect and block common SQL injection patterns in incoming web traffic.

Compensating Controls:

• If immediate patching is not feasible, implement a WAF with specific rules to block malicious requests targeting the vulnerable 'month' parameter.
• Restrict access to the functionality provided by the plugin to trusted IP addresses, if possible, until a patch can be applied.
• Ensure the database user account used by WordPress has the minimum necessary privileges (least privilege principle) to limit the impact of a potential compromise.

Public Exploit Available: false

Given the High severity (CVSS 7.5) and the potential for complete database compromise by an unauthenticated attacker, it is strongly recommended that organizations patch this vulnerability with the highest priority. All internet-facing websites using the VikRentCar plugin should be identified and updated immediately. Although this CVE is not currently on the CISA KEV list, the ease of exploitation and severe impact warrant urgent attention to prevent a potential data breach.