Skip to main content

Gravity Forms Booking CVE-2026-2508

| EUVDEUVD-2026-39167 MEDIUM
SQL Injection (CWE-89)
2026-06-25 Wordfence GHSA-x3xm-75xg-4hgf
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible endpoint requires only subscriber auth (PR:L); time-based SQLi yields database read access (C:H) with no write or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 25, 2026 - 04:32 vuln.today
CVE Published
Jun 25, 2026 - 03:42 nvd
MEDIUM 6.5

DescriptionCVE.org

The Gravity Forms Booking plugin for WordPress is vulnerable to time-based SQL Injection via the ‘staff_id’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

Time-based blind SQL injection in the Gravity Forms Booking plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to exfiltrate sensitive data from the underlying WordPress database via the 'staff_id' parameter. All plugin versions through 2.7.1 are affected due to insufficient input escaping and inadequate SQL query preparation on a user-controlled parameter. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber WordPress account
Delivery
Send crafted request with malicious staff_id
Exploit
Inject time-based SQL payload (SLEEP/BENCHMARK)
Execution
Measure server response delays
Persist
Enumerate database schema
Impact
Extract sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with at minimum Subscriber-level role, confirmed by the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects a network-accessible, low-complexity attack requiring only low privilege - specifically a WordPress subscriber account - with high confidentiality impact and no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running Gravity Forms Booking 2.7.1 or earlier, then submits a crafted booking-related HTTP request with a malicious value in the 'staff_id' parameter containing time-based SQL payloads such as conditional SLEEP() calls. By measuring response time variations, the attacker iteratively extracts data from the WordPress database - including credentials, email addresses, booking records, or any PII stored therein. …
Remediation Site administrators should update the Gravity Forms Booking plugin beyond version 2.7.1 immediately; the vendor changelog at https://gravitybooking.com/docs/gravity-forms-booking/changelog/ should be consulted to identify the specific patched release version, as no exact fix version is confirmed from the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-2508 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy