Análise pendenteCVE-2026-1719

CVE-2026-1719: SQL Injection in Gravity Bookings

Plataforma

wordpress

Componente

gf-bookings-premium

Corrigido em

2.6

Ver no NVD

Salvar

CVE-2026-1719 describes a SQL Injection vulnerability discovered in Gravity Bookings Premium, a plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data extraction. The vulnerability affects versions of Gravity Bookings Premium up to and including 2.5.9. A fix is available in version 2.6.

WordPress

Detecte esta CVE no seu projeto

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátis

Impacto e Cenários de Ataquetraduzindo…

Successful exploitation of CVE-2026-1719 could allow an attacker to bypass authentication and directly query the WordPress database. This could result in the theft of sensitive information such as user credentials (usernames and passwords), customer data (names, addresses, payment information), booking details, and potentially even administrative configurations. The attacker could also modify or delete data within the database, leading to data integrity issues and service disruption. Given the widespread use of WordPress and Gravity Bookings, a successful attack could have a significant blast radius, impacting numerous websites and their users.

Contexto de Exploraçãotraduzindo…

CVE-2026-1719 was published on May 5, 2026. Severity is currently assessed as HIGH (CVSS 7.5). Public proof-of-concept (POC) code is likely to emerge given the ease of SQL injection exploitation. While no active campaigns have been publicly reported as of this writing, the vulnerability's ease of exploitation makes it a potential target for automated scanning and exploitation tools. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.

Inteligência de Ameaças

Status do Exploit

Prova de ConceitoDesconhecido

CISA KEVNO

Exposição na InternetAlta

Relatórios1 relatório de ameaça

EPSS

0.08% (percentil 24%)

CISA SSVC

Exploraçãonone

Automatizávelyes

Impacto Técnicopartial

Vetor CVSS

O que significam essas métricas?

Attack Vector: Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
Attack Complexity: Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
Privileges Required: Nenhum — sem autenticação necessária para explorar.
User Interaction: Nenhuma — ataque automático e silencioso. A vítima não faz nada.
Scope: Inalterado — impacto limitado ao componente vulnerável.
Confidentiality: Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
Integrity: Nenhum — sem impacto na integridade.
Availability: Nenhum — sem impacto na disponibilidade.

Software Afetado

Componentegf-bookings-premium

Fornecedorwordfence

Versão máxima2.5.9

Corrigido em2.6

Classificação de Fraqueza (CWE)

CWE-89

Linha do tempo

Reservado2026-01-30
Publicada2026-05-05
Modificada2026-05-07
EPSS atualizado2026-05-13

Mitigação e Soluções Alternativastraduzindo…

The primary mitigation for CVE-2026-1719 is to immediately upgrade Gravity Bookings Premium to version 2.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious SQL injection attempts targeting the vulnerable parameter. Specifically, look for unusual characters or SQL keywords in user input. Additionally, review and harden database user permissions to limit the potential damage from a successful injection. After upgrading, verify the fix by attempting a SQL injection attack on the vulnerable endpoint and confirming that the attack is blocked.

Como corrigir

Atualize para a versão 2.6, ou uma versão corrigida mais recente

Perguntas frequentestraduzindo…

What is CVE-2026-1719 — SQL Injection in Gravity Bookings?

CVE-2026-1719 is a SQL Injection vulnerability affecting Gravity Bookings Premium for WordPress versions up to 2.5.9. It allows attackers to inject malicious SQL code to extract sensitive data from the database.

Am I affected by CVE-2026-1719 in Gravity Bookings?

You are affected if you are using Gravity Bookings Premium for WordPress version 2.5.9 or earlier. Check your plugin version using wp plugin list.

How do I fix CVE-2026-1719 in Gravity Bookings?

Upgrade Gravity Bookings Premium to version 2.6 or later. If immediate upgrade is not possible, implement WAF rules to filter SQL injection attempts.

Is CVE-2026-1719 being actively exploited?

While no active campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a potential target. Monitor security advisories and threat intelligence feeds.

Where can I find the official Gravity Bookings advisory for CVE-2026-1719?

Refer to the official Gravity Bookings website and WordPress plugin repository for the latest security updates and advisories related to CVE-2026-1719.

Seu projeto está afetado?

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátis Buscar CVEs

WordPress

Detecte esta CVE no seu projeto

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátis

ao vivoverificação gratuita

Escaneie seu projeto WordPress agora — sem conta

Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.

Escaneamento manualAlertas por Slack/e-mailMonitoramento ContínuoRelatórios de marca branca

Arraste e solte seu arquivo de dependências

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Procurar arquivos