How is CVE-2026-54808 exploited?

Network reachability (required): The attacker must reach the WordPress site over the network; no prior foothold on the host is needed. Authentication (not-required): No account or session token is required; the malicious requests can be sent by any anonymous user. Victim interaction (not-required): No user action or social engineering is needed; the attacker interacts directly with the vulnerable endpoint. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-54808?

Reads arbitrary rows from the WordPress database, including user credentials (hashed passwords), email addresses, session tokens, and plugin configuration data. Blind injection timing or boolean techniques allow the attacker to reconstruct full table contents even without direct query output. Causes partial availability disruption to the WordPress site as a side effect of heavy or malformed query injection.

Back to search

CRITICALCVE-2026-54808Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54808: WordPress WP Travel Gutenberg Blocks plugin <= 3.9.4 - SQL Injection vulnerability

Q: What is CVE-2026-54808?

A SQL injection vulnerability in the WP Travel Gutenberg Blocks WordPress plugin (versions up to and including 3.9.4) allows an unauthenticated remote attacker to send crafted HTTP requests to the affected site. The exploit uses blind SQL injection, meaning the attacker infers database contents through indirect responses rather than direct output. Successful exploitation gives the attacker read access to the WordPress database and can cause partial disruption to the service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-54808 patched?

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment WP Travel ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once a fix version is confirmed.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel Gutenberg Blocks allows Blind SQL Injection. This issue affects WP Travel Gutenberg Blocks: from n/a through 3.9.4.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A SQL injection vulnerability in the WP Travel Gutenberg Blocks WordPress plugin (versions up to and including 3.9.4) allows an unauthenticated remote attacker to send crafted HTTP requests to the affected site. The exploit uses blind SQL injection, meaning the attacker infers database contents through indirect responses rather than direct output. Successful exploitation gives the attacker read access to the WordPress database and can cause partial disruption to the service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-54808 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, NVD, and vendor advisories. Coverage extends to custom-built images that bundle the WP Travel Gutenberg Blocks plugin, not just images pulled from public registries.

Available

Triage

HarborGuard scores this CVE at 9.3 CRITICAL using the CVSS v3.1 vector and weights findings against each customer org's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment WP Travel ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress site over the network; no prior foothold on the host is needed.
AuthenticationNot required
No account or session token is required; the malicious requests can be sent by any anonymous user.
Victim interactionNot required
No user action or social engineering is needed; the attacker interacts directly with the vulnerable endpoint.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors are required.

Blast Radius

Reads arbitrary rows from the WordPress database, including user credentials (hashed passwords), email addresses, session tokens, and plugin configuration data.
Blind injection timing or boolean techniques allow the attacker to reconstruct full table contents even without direct query output.
Causes partial availability disruption to the WordPress site as a side effect of heavy or malformed query injection.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged at CRITICAL severity and matched against any customer image containing the WP Travel Gutenberg Blocks plugin at version 3.9.4 or earlier. Because no upstream fix exists as of the publication date, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment WP Travel publishes a remediated version. In the interim, compensating controls worth considering include network-policy rules that restrict public access to affected WordPress REST API or block-rendering endpoints, web application firewall rules targeting SQL metacharacter patterns in request parameters, and feature-flag or plugin-deactivation gating to disable the vulnerable blocks until a patch is available. For customers with auto-remediation enabled, the full rebuild, regression run, and PR flow will trigger automatically against affected workloads once a fix version is confirmed upstream.

See how HarborGuard automates this

Affected packages

WP Travel / WP Travel Gutenberg Blocks
≤ 3.9.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified