Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through <= 11.4.0.
AnalysisAI
Blind SQL injection in WP Travel plugin versions ≤11.4.0 allows authenticated attackers with low-level privileges to extract sensitive database contents through time-based or boolean queries. The vulnerability enables cross-scope confidentiality breach with high impact (CVSS:C:H), permitting unauthorized access to all WordPress database information including user credentials, private travel booking details, and payment data. EPSS data unavailable; no CISA KEV listing indicates exploitation remains targeted rather than widespread. Patchstack's inclusion in their vulnerability database suggests active researcher interest and potential proof-of-concept development.
Technical ContextAI
This vulnerability stems from improper neutralization of SQL special characters (CWE-89) within the WP Travel WordPress plugin's database query construction. The affected component is the wp_travel namespace targeting cpe:2.3:a:wp_travel:wp_travel product. SQL injection occurs when user-supplied input is concatenated directly into SQL queries without parameterized statements or proper escaping, allowing attackers to inject malicious SQL syntax. The 'Blind' classification indicates attackers cannot see direct query results but can infer data through observable differences in application behavior (timing delays, true/false conditions, or error messages). The changed scope (S:C) in the CVSS vector indicates the vulnerability allows access beyond the plugin's intended security boundary to affect the underlying WordPress database layer.
RemediationAI
Upgrade WP Travel plugin to version 11.4.1 or later immediately, assuming the vendor has released a patched version following Patchstack's disclosure (verify current version at wordpress.org/plugins/wp-travel). Access WordPress admin dashboard, navigate to Plugins → Installed Plugins, locate WP Travel, and click Update if available. If no patch exists yet, implement these compensating controls: (1) Restrict plugin access to only administrator-level users by removing lower-privileged user accounts or disabling user registration (trade-off: reduces site functionality for legitimate users); (2) Deploy web application firewall (WAF) rules to detect and block SQL injection payloads targeting WP Travel endpoints, specifically monitoring for time-based SQLi patterns like SLEEP(), BENCHMARK(), or boolean-based conditions (trade-off: may cause false positives requiring tuning); (3) Enable database query logging and monitor for suspicious patterns like UNION, SLEEP, or BENCHMARK statements originating from authenticated sessions (trade-off: performance overhead and log storage requirements). Verify patch effectiveness through Patchstack advisory updates at https://patchstack.com/database/Wordpress/Plugin/wp-travel/. Consider temporary plugin deactivation if travel booking functionality can be suspended until patch confirmation.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29458
GHSA-w43m-mxfg-9r8c