Description
The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-05-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Weapons of choice are embedded SQL statements that allow an attacker to inject malicious queries through the "category_id" parameter. The vulnerability stems from insufficient escaping and lack of query preparation, and it falls under CWE‑89. As a result, an unauthenticated user could append additional SQL commands to legitimate queries, enabling exfiltration of content from the database.

Affected Systems

The affected plugin is GravityMore's Gravity Bookings, a WordPress add‑on, in all releases up to and including version 2.5.9. Systems running WordPress with this plugin installed and not updated to a newer version are susceptible.

Risk and Exploitability

The CVSS score of 7.5 classifies this flaw as high severity. The EPSS score is not provided, so the current likelihood of exploitation is unclear. It is not cataloged in the CISA KEV list. Exploitation path requires no authentication; an attacker can simply craft a request to the "category_id" endpoint and inject payloads that are executed within the WordPress database context.

Generated by OpenCVE AI on May 6, 2026 at 11:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Gravity Bookings to the latest release (>=2.6.0) to eliminate the injection flaw.
  • If an immediate update is not possible, disable or uninstall the Gravity Bookings plugin to remove the attack surface.
  • Apply input validation or sanitization to the "category_id" parameter, ensuring only numeric values are accepted; consider using WordPress's built‑in sanitization functions.

Generated by OpenCVE AI on May 6, 2026 at 11:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Gravitymore
Gravitymore gravity Bookings
Wordpress
Wordpress wordpress
Vendors & Products Gravitymore
Gravitymore gravity Bookings
Wordpress
Wordpress wordpress

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Gravity Bookings <= 2.5.9 - Unauthenticated SQL Injection via 'category_id' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Gravitymore Gravity Bookings
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-06T14:34:37.725Z

Reserved: 2026-01-30T19:46:09.062Z

Link: CVE-2026-1719

cve-icon Vulnrichment

Updated: 2026-05-06T14:34:33.518Z

cve-icon NVD

Status : Deferred

Published: 2026-05-06T10:16:18.903

Modified: 2026-05-06T13:06:42.220

Link: CVE-2026-1719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:25:52Z

Weaknesses