Overview
A critical SQL injection vulnerability has been identified in the Gravity Bookings Premium plugin for WordPress. Tracked as CVE-2026-1719 with a CVSS score of 7.5 (High), the flaw affects all plugin versions up to and including 2.5.9 and can be exploited by unauthenticated attackers to extract or modify sensitive booking data.
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-1719 |
| CVSS Score | 7.5 (High) |
| Attack Vector | Network |
| Authentication | None required |
| Affected Versions | Gravity Bookings Premium ≤ 2.5.9 |
| Vulnerability Type | SQL Injection |
Technical Details
The vulnerability stems from insufficient escaping of user-supplied parameters combined with a lack of prepared statements in existing SQL queries. An unauthenticated attacker can inject malicious SQL payloads through affected input parameters to manipulate database queries.
Root Cause
The plugin fails to:
- Properly sanitize and escape user-controlled input before incorporating it into SQL queries
- Use parameterized queries or prepared statements when interacting with the WordPress database layer
This is a classic OWASP A03:2021 Injection flaw. When user input reaches the $wpdb->query() or equivalent call without sanitization, an attacker can append arbitrary SQL to extract, modify, or delete database records.
Attack Scenario
An unauthenticated attacker can:
- Extract data: Read the contents of the WordPress database, including user credentials (hashed passwords), email addresses, booking details, and customer PII
- Modify bookings: Alter or delete existing booking records
- Escalate privileges: In some configurations, extract admin credentials and gain full WordPress admin access
- Lateral movement: Use extracted credentials for further attacks
Affected Component
The Gravity Bookings Premium plugin is a commercial WordPress plugin used by hotels, rental services, appointment-based businesses, and event organizers to manage online reservations. Its widespread deployment in customer-facing booking systems makes this vulnerability particularly impactful, as booking databases routinely contain:
- Full names and contact information
- Payment references
- Reservation history
- Potentially partial payment card data depending on integration
Remediation
Immediate Actions
- Update the plugin to a patched version above 2.5.9 as soon as one becomes available from the plugin vendor
- Temporarily disable the plugin if a patch is not yet available and the site is actively targeted
- Review server logs for anomalous SQL error messages or unusual parameter values in request logs that may indicate prior exploitation
Mitigation (if update is unavailable)
- Deploy a Web Application Firewall (WAF) rule to block SQL injection patterns targeting plugin endpoints
- Restrict direct database access and ensure the WordPress database user has minimal necessary privileges (no
FILE,DROP, orGRANTpermissions) - Enable query logging on the MySQL/MariaDB instance to detect exploitation attempts
WordPress Hardening
// Ensure all database queries use prepared statements
$results = $wpdb->get_results(
$wpdb->prepare(
"SELECT * FROM {$wpdb->prefix}bookings WHERE booking_id = %d",
$user_input
)
);Developers should audit all $wpdb->query() calls where user input is interpolated directly into the query string.
Detection
Monitor for:
- Unusual
UNION SELECT,OR 1=1,AND SLEEP(), orINFORMATION_SCHEMApatterns in web server access logs - Elevated database query times or errors in WordPress debug logs
- Unexpected access to
/wp-admin/following anomalous booking-related requests - WordPress file integrity alerts for newly created admin accounts