Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.8.
Published: 2026-01-22
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Blind SQL Injection enabled by unsanitized inputs
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an SQL injection flaw in the Traveler theme that allows an attacker to submit specially crafted input that is incorporated into an SQL command without proper sanitization. The flaw can lead to blind SQL injection, giving an attacker read or modify access to the site’s database. The weakness matches CWE‑89, and if exploited it could compromise confidentiality, integrity, or availability of the data stored by the WordPress site.

Affected Systems

All versions of Shinetheme Traveler from the first released version through any version prior to 3.2.8 are affected. The entry points are likely form fields or URL parameters handled by the theme where user-supplied data is passed directly into database queries.

Risk and Exploitability

The CVSS v3.1 score of 8.8 indicates high severity. The EPSS of less than 1% suggests low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would likely need to locate a vulnerable instance, craft an input that triggers the injection, and wait for a blind response, which can be inferred from lack of error messages or timing differences. Given the high severity and potential impact, the risk escalates if the compromised data contains sensitive user information.

Generated by OpenCVE AI on April 16, 2026 at 02:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Traveler theme to version 3.2.8 or later.
  • If an upgrade cannot be performed immediately, disable or restrict public access to any forms or URLs supplied by the theme that accept user input.
  • Deploy a web application firewall or custom input‑validation rules specifically tuned to block SQL injection patterns for the theme’s database queries.
  • Regularly monitor server logs for anomalous SQL activity related to the theme to detect potential exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 02:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.8.
Title WordPress Traveler theme < 3.2.8 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:04.528Z

Reserved: 2026-01-22T14:42:32.873Z

Link: CVE-2026-24367

cve-icon Vulnrichment

Updated: 2026-01-23T21:31:17.832Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:40.183

Modified: 2026-04-23T15:36:43.130

Link: CVE-2026-24367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:15:21Z

Weaknesses