External risk intelligence

WP Travel Gutenberg Blocks Blind SQL Injection Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-54808

A SQL injection vulnerability exists in WP Travel Gutenberg Blocks, allowing attackers to potentially access and modify sensitive database information. This issue is relevant to public-facing WordPress sites using the plugin, as it could lead to unauthorized data exposure or tampering without requiring special access o

SQL Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability exists in a WordPress plugin used to add blocks to web pages. Such plugins are core components of public-facing web applications, meaning the vulnerable code is processed and reachable whenever a visitor accesses a site using the plugin, making public internet exposure a standard part of its deployment.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical SQL injection vulnerability within the WP Travel Gutenberg Blocks for WordPress. This flaw allows for unauthorized data access by injecting malicious commands into database queries. The primary concern is confirming if your WordPress sites utilize this specific plugin and, if so, assessing potential exposure.

  • Allows attackers to access sensitive data.
  • Important for public-facing WordPress sites.
  • Verify plugin use and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted input to a vulnerable component of the WP Travel Gutenberg Blocks plugin. This could allow them to indirectly access and manipulate the site's database, potentially leading to unauthorized data exposure or modification.

  • No special access needed.
  • User interaction with vulnerable feature.
  • Database compromise and unauthorized data access.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, this SQL injection vulnerability in WP Travel Gutenberg Blocks could allow an unauthenticated attacker to perform blind SQL injection attacks. This could potentially lead to the disclosure of sensitive information or unauthorized modification of the application's database.

  • Database contents could be at risk.
  • Attacker sends crafted requests to the plugin.
  • Sensitive information disclosure or database tampering.

Operational Fix

Recommended remediation, mitigation, and detection steps

This SQL injection vulnerability in WP Travel Gutenberg Blocks is likely to affect organizations using this plugin for their WordPress sites, particularly those with public-facing content. The first practical step is to identify all instances of WP Travel Gutenberg Blocks, assess their exposure and business criticality, and then engage the platform or application owner to plan remediation.

  • Identify plugin instances and ownership.
  • Verify plugin reachability and criticality.
  • Plan remediation based on assessed risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-54808 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

SQL injection flaws are a PCI DSS violation. This vulnerability allows attackers to manipulate database queries, potentially leading to data compromise.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the WP Travel Gutenberg Blocks plugin?

It is a WordPress plugin designed to extend the Gutenberg editor, allowing site administrators to create and manage travel-related content using custom blocks. It is commonly used by travel agencies or tour operators to showcase itineraries and bookings directly on their website pages.

What does CVE-2026-54808 mean by SQL Injection?

This CVE falls under the weakness class CWE-89, which occurs when software fails to properly sanitize user-provided data before including it in database queries. In this case, an attacker can manipulate those queries to trick the database into revealing information it should keep private.

How is this SQL vulnerability triggered?

The flaw is triggered when an attacker sends specially crafted web requests to the vulnerable plugin component. It is important to note that this does not require a user to log in or interact with the site; the vulnerability exists in the way the plugin processes incoming data directly from the network.

Is my site at risk from this vulnerability?

According to Halo Surface Signal, this vulnerability is considered highly relevant for public-facing web applications. Because the plugin is designed to render blocks on web pages, its code is inherently processed whenever a visitor accesses your site, making it a natural point for internet-based interactions.

What should I do if I use this plugin?

The first step is to create an inventory of all WordPress sites where this plugin is currently installed. Once identified, evaluate the criticality of those sites and contact the site owners or developers to coordinate a security review and ensure any available updates or patches are applied.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished