Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel Gutenberg Blocks allows Blind SQL Injection.

This issue affects WP Travel Gutenberg Blocks: from n/a through 3.9.4.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WP Travel Gutenberg Blocks allows attackers to send specially crafted input that bypasses normal query escaping. This flaw falls under CWE‑89, giving an attacker the ability to inject arbitrary SQL commands. When exploited, the vulnerability can lead to unauthorized data read, modification, or deletion within the WordPress database, potentially exposing sensitive user information or compromising site integrity.

Affected Systems

All installations of the WP Travel Gutenberg Blocks plugin from the earliest released versions up through 3.9.4 are affected. The product is a WordPress plugin that manages travel-related Gutenberg blocks.

Risk and Exploitability

The flaw carries a CVSS score of 9.3, indicating critical severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via web requests that influence the plugin’s SQL statements. An adversary who can reach the site’s front‑end or REST API endpoints can leverage the blind injection to extract or alter database contents without direct authentication if the plugin lacks sufficient input validation.

Generated by OpenCVE AI on June 18, 2026 at 13:48 UTC.

Remediation

Vendor Solution

Update the WordPress WP Travel Gutenberg Blocks Plugin to the latest available version (at least 3.9.5).


OpenCVE Recommended Actions

  • Update the WP Travel Gutenberg Blocks plugin to version 3.9.5 or later.
  • If the update cannot be applied immediately, disable the plugin or block its access via the WordPress admin or web server rules to stop exploitation.
  • After applying the patch, monitor site logs and database activity for signs of unauthorized access or modification.

Generated by OpenCVE AI on June 18, 2026 at 13:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Travel
Wp Travel wp Travel Gutenberg Blocks
Vendors & Products Wordpress
Wordpress wordpress
Wp Travel
Wp Travel wp Travel Gutenberg Blocks

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel Gutenberg Blocks allows Blind SQL Injection. This issue affects WP Travel Gutenberg Blocks: from n/a through 3.9.4.
Title WordPress WP Travel Gutenberg Blocks plugin <= 3.9.4 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Wordpress Wordpress
Wp Travel Wp Travel Gutenberg Blocks
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:03:53.315Z

Reserved: 2026-06-16T09:21:34.478Z

Link: CVE-2026-54808

cve-icon Vulnrichment

Updated: 2026-06-17T14:03:31.965Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:30Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')