Impact
The Gravity Forms Booking plugin for WordPress contains a time‑based SQL injection flaw in the staff_id parameter. Unsanitized input allows an attacker who is logged in with Subscriber or higher privileges to inject additional SQL clauses into the existing query, enabling sensitive data extraction from the database. The vulnerability is a classic SQL injection (CWE‑89) and does not provide remote code execution but can compromise confidentiality and integrity of stored data.
Affected Systems
The flaw affects the GravityMore:Gravity Bookings plugin for WordPress, all versions up to and including 2.7.1. Users deploying any of these releases are potentially vulnerable.
Risk and Exploitability
The CVSS base score of 6.5 indicates moderate severity. The entry does not list an EPSS score, suggesting no publicly known exploit statistics, and it is not in the CISA KEV catalog. Exploitation requires an authenticated attacker with Subscriber-level access. The attacker must construct a valid request containing a malicious staff_id value; the absence of prepared statements allows the injected payload to run, though the success hinges on the presence of a readable database and sufficient privileges.
OpenCVE Enrichment