CVE-2026-54820: WordPress JetBooking plugin <= 4.0.4.1 - SQL Injection vulnerability
Unauthenticated SQL Injection in JetBooking <= 4.0.4.1 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the JetBooking WordPress plugin at version 4.0.4.1 and earlier. It is reachable over the network with no authentication required and has a changed scope, meaning the flaw can affect components beyond the vulnerable plugin itself. Successful exploitation gives an attacker direct read access to the underlying database and can cause partial service disruption. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the JetBooking plugin. Any image carrying JetBooking at or below version 4.0.4.1 is flagged automatically.
AvailableHarborGuard is capable of scoring this finding at CVSS 9.3 Critical and weighting it further against each customer environment's compliance policy, which can escalate or suppress alert priority based on internet exposure or data-classification rules. Triage results are routed to the inbox or ticketing integration configured for each customer organization.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Crocoblock or Patchstack publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationNot required
No account or session token is needed; the injection can be triggered by an anonymous, unauthenticated HTTP request.
- Victim interactionNot required
No user action is required; the attacker sends a crafted request directly to the server without any social-engineering step.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special timing, or knowledge of environmental state.
Blast Radius
- Reads arbitrary data from the WordPress database, including user credentials, session tokens, and any booking or customer records stored by JetBooking.
- Because the vulnerability has a changed scope, query results from adjacent database tables, potentially outside the plugin's own schema, can also be extracted.
- Can cause partial availability loss, such as slow or failed page loads, if injected queries place significant load on the database server.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged at CVSS 9.3 Critical for any image found to contain JetBooking at or below version 4.0.4.1, with no fix version currently available from the vendor. HarborGuard monitors the Patchstack advisory and the Crocoblock release feed on every ingest cycle. The moment a patched version is published upstream, a rebuilt image will become available, and for customers with auto-remediation enabled, the pipeline will open a PR against affected workloads automatically. While no upstream patch exists, compensating controls worth considering include placing WordPress behind a web application firewall with SQL injection rule sets enabled, applying strict network policy to limit which services can reach the database, and, if the booking feature is not actively needed, disabling or removing the plugin entirely to eliminate the attack surface.
- Crocoblock. Jetimpex Inc. / JetBooking≤ 4.0.4.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L