Skip to main content

Gravity Bookings Premium EUVDEUVD-2026-27548

| CVE-2026-1719 HIGH
SQL Injection (CWE-89)
2026-05-06 security@wordfence.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 10:30 vuln.today

DescriptionCVE.org

The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

SQL injection in Gravity Bookings Premium for WordPress (≤2.5.9) allows unauthenticated remote attackers to extract sensitive database information including user credentials, customer data, and booking records. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity, enabling widespread exploitation. Reported by Wordfence security research; no CISA KEV listing or public exploit code identified at time of analysis, but the trivial exploitation requirements (network accessible, no auth, no user interaction) make this a high-priority patching target for WordPress sites using this booking plugin.

Technical ContextAI

This is a classic SQL injection vulnerability (CWE-89) in a WordPress plugin's database query handling. The Gravity Bookings Premium plugin fails to properly sanitize user-supplied input parameters before incorporating them into SQL queries, and does not use prepared statements with parameterized queries. WordPress plugins often interact directly with the MySQL/MariaDB database using the wpdb class; when developers concatenate user input into raw SQL strings without escaping, attackers can inject malicious SQL syntax. The CVSS vector AV:N indicates the vulnerable endpoint is accessible over the network (likely an AJAX handler or REST API endpoint that processes booking-related requests), and PR:N confirms no authentication check protects this code path. The Confidentiality impact is High (C:H) while Integrity and Availability remain None, indicating this is a read-only SQL injection suitable for data exfiltration via UNION-based, boolean-based, or time-based blind techniques.

RemediationAI

Upgrade Gravity Bookings Premium to version 2.5.10 or later if available from the vendor at gravitybooking.com (fix version not independently confirmed at time of analysis - verify current patched version with vendor before deployment). If an updated version is not yet released, implement immediate compensating controls: disable the Gravity Bookings Premium plugin entirely until a patch is available, or restrict network access to WordPress admin and AJAX endpoints using WAF rules that block SQL injection patterns in POST/GET parameters (regex patterns for UNION, SELECT, OR 1=1, sleep(), benchmark() functions). Note that signature-based WAF protection may be bypassed by obfuscation techniques; plugin deactivation is the only certain mitigation. For production environments where booking functionality cannot be interrupted, consider moving to an alternative booking plugin temporarily, or place the WordPress installation behind authenticated VPN access to reduce the attack surface from AV:N to AV:A. Monitor WordPress database query logs and web server access logs for suspicious patterns including unusual UNION keywords, comment syntax (--,/**/, #), or time-based payloads in booking-related parameters. Consult Wordfence Threat Intel advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/ce032abe-ee9d-4be1-ac97-5fa95d598e85 for additional vendor communication and IOCs.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-27548 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy