Impact
WP Travel Gutenberg Blocks allows attackers to send specially crafted input that bypasses normal query escaping. This flaw falls under CWE‑89, giving an attacker the ability to inject arbitrary SQL commands. When exploited, the vulnerability can lead to unauthorized data read, modification, or deletion within the WordPress database, potentially exposing sensitive user information or compromising site integrity.
Affected Systems
All installations of the WP Travel Gutenberg Blocks plugin from the earliest released versions up through 3.9.4 are affected. The product is a WordPress plugin that manages travel-related Gutenberg blocks.
Risk and Exploitability
The flaw carries a CVSS score of 9.3, indicating critical severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via web requests that influence the plugin’s SQL statements. An adversary who can reach the site’s front‑end or REST API endpoints can leverage the blind injection to extract or alter database contents without direct authentication if the plugin lacks sufficient input validation.
OpenCVE Enrichment