Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
SQL injection in Gravity Bookings Premium for WordPress (≤2.5.9) allows unauthenticated remote attackers to extract sensitive database information including user credentials, customer data, and booking records. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity, enabling widespread exploitation. Reported by Wordfence security research; no CISA KEV listing or public exploit code identified at time of analysis, but the trivial exploitation requirements (network accessible, no auth, no user interaction) make this a high-priority patching target for WordPress sites using this booking plugin.
Technical ContextAI
This is a classic SQL injection vulnerability (CWE-89) in a WordPress plugin's database query handling. The Gravity Bookings Premium plugin fails to properly sanitize user-supplied input parameters before incorporating them into SQL queries, and does not use prepared statements with parameterized queries. WordPress plugins often interact directly with the MySQL/MariaDB database using the wpdb class; when developers concatenate user input into raw SQL strings without escaping, attackers can inject malicious SQL syntax. The CVSS vector AV:N indicates the vulnerable endpoint is accessible over the network (likely an AJAX handler or REST API endpoint that processes booking-related requests), and PR:N confirms no authentication check protects this code path. The Confidentiality impact is High (C:H) while Integrity and Availability remain None, indicating this is a read-only SQL injection suitable for data exfiltration via UNION-based, boolean-based, or time-based blind techniques.
RemediationAI
Upgrade Gravity Bookings Premium to version 2.5.10 or later if available from the vendor at gravitybooking.com (fix version not independently confirmed at time of analysis - verify current patched version with vendor before deployment). If an updated version is not yet released, implement immediate compensating controls: disable the Gravity Bookings Premium plugin entirely until a patch is available, or restrict network access to WordPress admin and AJAX endpoints using WAF rules that block SQL injection patterns in POST/GET parameters (regex patterns for UNION, SELECT, OR 1=1, sleep(), benchmark() functions). Note that signature-based WAF protection may be bypassed by obfuscation techniques; plugin deactivation is the only certain mitigation. For production environments where booking functionality cannot be interrupted, consider moving to an alternative booking plugin temporarily, or place the WordPress installation behind authenticated VPN access to reduce the attack surface from AV:N to AV:A. Monitor WordPress database query logs and web server access logs for suspicious patterns including unusual UNION keywords, comment syntax (--,/**/, #), or time-based payloads in booking-related parameters. Consult Wordfence Threat Intel advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/ce032abe-ee9d-4be1-ac97-5fa95d598e85 for additional vendor communication and IOCs.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27548