WP Travel Gutenberg Blocks
CVE-2026-54808
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network SQLi against a WordPress plugin endpoint warrants AV:N/AC:L/PR:N/UI:N; blind SQLi typically permits read and write to the DB so C:H/I:H, with no scope change since impact stays within the WordPress DB trust boundary.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel Gutenberg Blocks allows Blind SQL Injection.
This issue affects WP Travel Gutenberg Blocks: from n/a through 3.9.4.
AnalysisAI
Blind SQL injection in the WP Travel Gutenberg Blocks WordPress plugin (versions up to and including 3.9.4) allows remote unauthenticated attackers to inject arbitrary SQL into backend queries, exfiltrating data from the WordPress database via inference-based techniques. The CVSS 9.3 score reflects a scope-changed impact (S:C) where database compromise affects components beyond the plugin itself, though no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the WP Travel Gutenberg Blocks plugin (version ≤ 3.9.4) to be installed and activated on a target WordPress site, with the vulnerable endpoint reachable over the network - typically meaning the WordPress front end or REST API is internet-exposed, which is the default deployment. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Risk signals are mixed and warrant careful interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends crafted HTTP requests to a public WordPress endpoint exposed by the WP Travel Gutenberg Blocks plugin (typically a block-rendering AJAX action, REST route, or shortcode parameter), injecting boolean- or time-based SQL payloads into a vulnerable parameter. Using automated tools such as sqlmap with the --technique=BT flag, the attacker iteratively infers database contents, exfiltrating wp_users password hashes, wp_options secrets, and session tokens. … |
| Remediation | Patch available per vendor advisory - upgrade WP Travel Gutenberg Blocks to a version newer than 3.9.4 once the fixed release is published by WP Travel; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-travel-blocks/vulnerability/wordpress-wp-travel-gutenberg-blocks-plugin-3-9-4-sql-injection-vulnerability for the exact fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for WP Travel Gutenberg Blocks up to version 3.9.4; disable the plugin immediately if business operations permit replacement. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today