Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.6.
Published: 2025-12-18
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An input sanitization flaw in shinetheme Traveler permits blind SQL injection. A remote attacker could send crafted queries through the theme’s form fields or URL parameters, allowing them to read, modify, or delete data stored in the WordPress database. Depending on the attacker's privileges, this could lead to full data exfiltration, credential theft, or compromise of the entire site’s content.

Affected Systems

All installations of the Traveler WordPress theme released before version 3.2.6 are affected. The vulnerability applies to every deployment of Traveler under the shinetheme vendor that has not upgraded to the patched release.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity vulnerability with a high likelihood of exploitable impact. The EPSS score of less than 1% suggests that the immediate exploitation probability remains low, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would most likely exploit the flaw via standard web requests targeting the theme’s input interfaces, inferring the attack vector from the presence of uncontrolled database operations in the code.

Generated by OpenCVE AI on April 29, 2026 at 18:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traveler theme to version 3.2.6 or newer, which contains the SQL injection fix.
  • If an immediate update is not possible, disable or restrict the use of any theme features that accept user-supplied data, and implement input validation or a web application firewall rule to block/sanitize suspicious SQL-related payloads.
  • After applying the update or workaround, scan the database for potential injected data, enforce least-privilege database user permissions, and monitor application logs for anomalous query activity.

Generated by OpenCVE AI on April 29, 2026 at 18:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.6.
Title WordPress Traveler theme < 3.2.6 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:14.648Z

Reserved: 2025-10-31T11:23:19.708Z

Link: CVE-2025-64371

cve-icon Vulnrichment

Updated: 2025-12-18T16:32:42.997Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:14.007

Modified: 2026-04-27T16:16:41.733

Link: CVE-2025-64371

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:00:06Z

Weaknesses