Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network SQLi (AV:N/AC:L/PR:N/UI:N) yields high confidentiality disclosure; scope changed as the DB is a separate component, with no integrity change and only low availability impact.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in JetBooking <= 4.0.4.1 versions.
AnalysisAI
Unauthenticated SQL injection in the JetBooking WordPress plugin (versions 4.0.4.1 and earlier) lets remote attackers inject crafted SQL into a vulnerable query without any login, exposing the WordPress database. Reported by Patchstack with a CVSS 9.3 (scope-changed, high confidentiality impact), the flaw allows extraction of sensitive data such as user credentials and booking records. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the JetBooking plugin (version 4.0.4.1 or earlier) is installed and active on a network-reachable WordPress site; per the CVSS vector AV:N/AC:L/PR:N/UI:N, no authentication, no user interaction, and no special non-default configuration are required to reach the vulnerable code path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent with a genuine high priority: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N describes a network-reachable, low-complexity, unauthenticated attack requiring no user interaction, and S:C/C:H reflects significant confidentiality exposure beyond the plugin boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request to a public WordPress site running JetBooking, supplying a malicious value in a parameter that feeds an unsanitized SQL query. The injected SQL executes against the WordPress database, letting the attacker enumerate and exfiltrate sensitive data such as administrator password hashes and stored booking/customer records. … |
| Remediation | Update the JetBooking plugin to the latest available release beyond 4.0.4.1 - the input does not specify an exact fixed version, so treat the upgrade as 'No vendor-released patch version independently confirmed at time of analysis' and verify the patched build via the Crocoblock account/changelog and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jet-booking/vulnerability/wordpress-jetbooking-plugin-4-0-4-1-sql-injection-vulnerability?_s_id=cve before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress deployments to identify JetBooking installations and document versions; flag any instance running 4.0.4.1 or earlier as at-risk. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39783
GHSA-xqjr-4848-35gg