Description
The Gravity Forms Booking plugin for WordPress is vulnerable to time-based SQL Injection via the ‘staff_id’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-06-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Gravity Forms Booking plugin for WordPress contains a time‑based SQL injection flaw in the staff_id parameter. Unsanitized input allows an attacker who is logged in with Subscriber or higher privileges to inject additional SQL clauses into the existing query, enabling sensitive data extraction from the database. The vulnerability is a classic SQL injection (CWE‑89) and does not provide remote code execution but can compromise confidentiality and integrity of stored data.

Affected Systems

The flaw affects the GravityMore:Gravity Bookings plugin for WordPress, all versions up to and including 2.7.1. Users deploying any of these releases are potentially vulnerable.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity. The entry does not list an EPSS score, suggesting no publicly known exploit statistics, and it is not in the CISA KEV catalog. Exploitation requires an authenticated attacker with Subscriber-level access. The attacker must construct a valid request containing a malicious staff_id value; the absence of prepared statements allows the injected payload to run, though the success hinges on the presence of a readable database and sufficient privileges.

Generated by OpenCVE AI on June 25, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Gravity Forms Booking plugin to version 2.7.2 or later, which addresses the SQL injection by sanitizing the staff_id parameter
  • Restrict access to the booking functionality so that only Administrators can utilize the staff_id field, effectively narrowing the attack surface available to Subscriber users
  • Configure a Web Application Firewall or security plugin to block time‑based SQL injection patterns and enforce that the staff_id value is numeric only

Generated by OpenCVE AI on June 25, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Gravitymore
Gravitymore gravity Bookings
Wordpress
Wordpress wordpress
Vendors & Products Gravitymore
Gravitymore gravity Bookings
Wordpress
Wordpress wordpress

Thu, 25 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description The Gravity Forms Booking plugin for WordPress is vulnerable to time-based SQL Injection via the ‘staff_id’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Gravity Forms Booking <= 2.7.1 - Authenticated (Subscriber+) Time-Based SQL Injection via 'staff_id'
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Gravitymore Gravity Bookings
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-25T12:20:24.311Z

Reserved: 2026-02-13T23:08:49.455Z

Link: CVE-2026-2508

cve-icon Vulnrichment

Updated: 2026-06-25T12:20:20.956Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T09:15:04Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')