Skip to main content

JetBooking CVE-2026-54820

| EUVDEUVD-2026-39783 CRITICAL
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-xqjr-4848-35gg
9.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Unauthenticated network SQLi (AV:N/AC:L/PR:N/UI:N) yields high confidentiality disclosure; scope changed as the DB is a separate component, with no integrity change and only low availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:33 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in JetBooking <= 4.0.4.1 versions.

AnalysisAI

Unauthenticated SQL injection in the JetBooking WordPress plugin (versions 4.0.4.1 and earlier) lets remote attackers inject crafted SQL into a vulnerable query without any login, exposing the WordPress database. Reported by Patchstack with a CVSS 9.3 (scope-changed, high confidentiality impact), the flaw allows extraction of sensitive data such as user credentials and booking records. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running JetBooking ≤4.0.4.1
Delivery
Send crafted HTTP request with malicious parameter
Exploit
Inject SQL into unsanitized query
Execution
Database executes attacker SQL
Impact
Exfiltrate credentials and booking data

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the JetBooking plugin (version 4.0.4.1 or earlier) is installed and active on a network-reachable WordPress site; per the CVSS vector AV:N/AC:L/PR:N/UI:N, no authentication, no user interaction, and no special non-default configuration are required to reach the vulnerable code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent with a genuine high priority: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N describes a network-reachable, low-complexity, unauthenticated attack requiring no user interaction, and S:C/C:H reflects significant confidentiality exposure beyond the plugin boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to a public WordPress site running JetBooking, supplying a malicious value in a parameter that feeds an unsanitized SQL query. The injected SQL executes against the WordPress database, letting the attacker enumerate and exfiltrate sensitive data such as administrator password hashes and stored booking/customer records. …
Remediation Update the JetBooking plugin to the latest available release beyond 4.0.4.1 - the input does not specify an exact fixed version, so treat the upgrade as 'No vendor-released patch version independently confirmed at time of analysis' and verify the patched build via the Crocoblock account/changelog and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/jet-booking/vulnerability/wordpress-jetbooking-plugin-4-0-4-1-sql-injection-vulnerability?_s_id=cve before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress deployments to identify JetBooking installations and document versions; flag any instance running 4.0.4.1 or earlier as at-risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54820 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy