Skip to main content

WP Travel EUVDEUVD-2026-29458

| CVE-2026-45218 HIGH
SQL Injection (CWE-89)
2026-05-12 Patchstack GHSA-w43m-mxfg-9r8c
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 11:32 vuln.today
CVE Published
May 12, 2026 - 11:02 nvd
HIGH 7.7

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through <= 11.4.0.

AnalysisAI

Blind SQL injection in WP Travel plugin versions ≤11.4.0 allows authenticated attackers with low-level privileges to extract sensitive database contents through time-based or boolean queries. The vulnerability enables cross-scope confidentiality breach with high impact (CVSS:C:H), permitting unauthorized access to all WordPress database information including user credentials, private travel booking details, and payment data. EPSS data unavailable; no CISA KEV listing indicates exploitation remains targeted rather than widespread. Patchstack's inclusion in their vulnerability database suggests active researcher interest and potential proof-of-concept development.

Technical ContextAI

This vulnerability stems from improper neutralization of SQL special characters (CWE-89) within the WP Travel WordPress plugin's database query construction. The affected component is the wp_travel namespace targeting cpe:2.3:a:wp_travel:wp_travel product. SQL injection occurs when user-supplied input is concatenated directly into SQL queries without parameterized statements or proper escaping, allowing attackers to inject malicious SQL syntax. The 'Blind' classification indicates attackers cannot see direct query results but can infer data through observable differences in application behavior (timing delays, true/false conditions, or error messages). The changed scope (S:C) in the CVSS vector indicates the vulnerability allows access beyond the plugin's intended security boundary to affect the underlying WordPress database layer.

RemediationAI

Upgrade WP Travel plugin to version 11.4.1 or later immediately, assuming the vendor has released a patched version following Patchstack's disclosure (verify current version at wordpress.org/plugins/wp-travel). Access WordPress admin dashboard, navigate to Plugins → Installed Plugins, locate WP Travel, and click Update if available. If no patch exists yet, implement these compensating controls: (1) Restrict plugin access to only administrator-level users by removing lower-privileged user accounts or disabling user registration (trade-off: reduces site functionality for legitimate users); (2) Deploy web application firewall (WAF) rules to detect and block SQL injection payloads targeting WP Travel endpoints, specifically monitoring for time-based SQLi patterns like SLEEP(), BENCHMARK(), or boolean-based conditions (trade-off: may cause false positives requiring tuning); (3) Enable database query logging and monitor for suspicious patterns like UNION, SLEEP, or BENCHMARK statements originating from authenticated sessions (trade-off: performance overhead and log storage requirements). Verify patch effectiveness through Patchstack advisory updates at https://patchstack.com/database/Wordpress/Plugin/wp-travel/. Consider temporary plugin deactivation if travel booking functionality can be suspended until patch confirmation.

Share

EUVD-2026-29458 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy