This vulnerability in BookingPress (<= 1.1.28) allows SQL Injection due to improper neutralization of special elements in SQL commands. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L) indicates network attack vector, low attack complexity, requires high privileges, no user interaction, scope changed, high confidentiality impact, no integrity impact, and low availability impact. The vulnerability could allow an attacker with high privileges to execute crafted SQL commands that compromise confidentiality and partially affect availability. No patch or official fix details are currently available.

An attacker with high privileges could exploit this SQL Injection vulnerability to access or disclose sensitive database information (high confidentiality impact) and cause limited disruption to service availability (low availability impact). Integrity is not impacted according to the CVSS vector. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix information is provided, users should monitor vendor communications for updates. Until a fix is available, restrict high-privilege access to the affected BookingPress plugin and consider disabling or removing the plugin if feasible.