CVE-2026-1719: SQL Injection in Gravity Bookings

Successful exploitation of CVE-2026-1719 could allow an attacker to bypass authentication and directly query the WordPress database. This could result in the theft of sensitive information such as user credentials (usernames and passwords), customer data (names, addresses, payment information), booking details, and potentially even administrative configurations. The attacker could also modify or delete data within the database, leading to data integrity issues and service disruption. Given the widespread use of WordPress and Gravity Bookings, a successful attack could have a significant blast radius, impacting numerous websites and their users.

1. Reserviert2026-01-30
2. Veröffentlicht2026-05-05
3. Geändert2026-05-07
4. EPSS aktualisiert2026-05-13

The primary mitigation for CVE-2026-1719 is to immediately upgrade Gravity Bookings Premium to version 2.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the vulnerable parameter. Specifically, look for unusual characters or SQL keywords in user input. Additionally, review and harden database user permissions to limit the potential damage from a successful injection. After upgrading, verify the fix by attempting a SQL injection attack on the vulnerable endpoint and confirming that the attack is blocked.