Skip to main content

Gravity Bookings

1 CVEs product

Monthly

CVE-2026-2508 MEDIUM This Month

Time-based blind SQL injection in the Gravity Forms Booking plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to exfiltrate sensitive data from the underlying WordPress database via the 'staff_id' parameter. All plugin versions through 2.7.1 are affected due to insufficient input escaping and inadequate SQL query preparation on a user-controlled parameter. No public exploit code or active exploitation has been identified at time of analysis, though the low authentication barrier (subscriber-level) meaningfully broadens attacker opportunity on sites with open registration.

WordPress SQLi Gravity Bookings
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
EPSS 0% CVSS 6.5
MEDIUM This Month

Time-based blind SQL injection in the Gravity Forms Booking plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to exfiltrate sensitive data from the underlying WordPress database via the 'staff_id' parameter. All plugin versions through 2.7.1 are affected due to insufficient input escaping and inadequate SQL query preparation on a user-controlled parameter. No public exploit code or active exploitation has been identified at time of analysis, though the low authentication barrier (subscriber-level) meaningfully broadens attacker opportunity on sites with open registration.

WordPress SQLi Gravity Bookings
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy