CVE-2026-3496 - Vulnerability Details

Description

The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: 2026-03-11

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The JetBooking WordPress plugin is vulnerable to SQL Injection through the 'check_in_date' parameter in all versions up to 4.0.3. The vulnerability arises from insufficient input escaping and lack of prepared statements, allowing unauthenticated attackers to append arbitrary SQL code to the existing query. This can be exploited to retrieve sensitive data from the database, such as user credentials, booking details, or other confidential information.

Affected Systems

The affected product is the Crocoblock JetBooking plugin for WordPress. All installations running version 4.0.3 or earlier are impacted. No specific build numbers are listed beyond the upper bound of 4.0.3, so any build in that range should be considered vulnerable.

Risk and Exploitability

CVSS score 7.5 indicates a high severity with potential data exposure. EPSS score is below 1%, suggesting that exploitation is not currently widespread, and KEV catalog does not list it as a known exploited vulnerability. The attack vector is unauthenticated, so any user with access to the website’s query parameters could trigger the injection, making the risk high for exposed sites. The vulnerability requires no additional privileges, and could be used to extract arbitrary tables or data from the database.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Crocoblock

JetBooking

unaffected

Version	Status	Constraints
`*`	affected	≤ 4.0.3

No data.

Vendor Product Confidence Versions

Crocoblock

Jetbooking

100%

Version	Status	Scheme	Platform
`[0,4.0.3]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify JetBooking plugin version; if 4.0.3 or earlier, schedule an update.
Upgrade JetBooking to the latest available version (4.0.4 or newer) from Crocoblock.
If an immediate upgrade is not possible, restrict the 'check_in_date' parameter to valid date ranges or filter input server‑side.
Monitor the database and application logs for suspicious SELECT or UNION queries that may indicate exploitation.
Check Crocoblock's changelog page or support forum for any announced mitigations or hotfixes beyond the official patch.

Generated by OpenCVE AI on March 17, 2026 at 16:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00084.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://crocoblock.com/changelog/?plugin=jet-booking
https://www.wordfence.com/threat-intel/vulnerabilities/id/35e33e30-e102-445a-99d0-27adb7fc4638?source=cve

History

Thu, 12 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Crocoblock Crocoblock jetbooking Wordpress Wordpress wordpress
Vendors & Products		Crocoblock Crocoblock jetbooking Wordpress Wordpress wordpress

Wed, 11 Mar 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title		JetBooking <= 4.0.3 - Unauthenticated SQL Injection via 'check_in_date' Parameter
Weaknesses		CWE-89
References		https://crocoblock.com/changelog/?plugin=jet-booking https://www.wordfence.com/threat-intel/vulnerabilities/id/35e33e30-e102-445a-99d0-27adb7fc4638?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Crocoblock Jetbooking

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-11T13:24:34.677Z

Updated: 2026-03-11T14:44:20.430Z

Reserved: 2026-03-03T18:32:46.594Z

Link: CVE-2026-3496

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-11T14:16:28.980

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-3496

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T14:37:18Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object