CVE-2026-54820
Deferred Deferred - Pending Action
Unauthenticated SQL Injection in JetBooking

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Unauthenticated SQL Injection in JetBooking <= 4.0.4.1 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-54820
EUVD
EUVD-2026-39783
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack jet_booking to 4.0.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54820 is an unauthenticated SQL Injection vulnerability found in the WordPress JetBooking Plugin versions 4.0.4.1 and below.

This flaw allows attackers to interact directly with the website's database without needing to log in or authenticate.

It is classified as a high-priority issue with a CVSS score of 9.3 and falls under the OWASP Top 10 category A3: Injection.

Impact Analysis

This vulnerability can have serious impacts as it allows attackers to access and manipulate the website's database directly.

  • Attackers could steal sensitive information stored in the database.
  • It may lead to data breaches or unauthorized data exposure.
  • The vulnerability can be exploited without any authentication, increasing the risk of attack.
  • It can cause partial denial of service by impacting database availability.
Detection Guidance

The vulnerability is an unauthenticated SQL Injection in JetBooking plugin versions 4.0.4.1 and below. Detection typically involves monitoring for suspicious SQL injection attempts targeting the plugin's endpoints.

While specific commands are not provided in the available resources, common detection methods include inspecting web server logs for unusual query parameters or payloads that attempt SQL injection patterns, such as SQL keywords or tautologies.

Network intrusion detection systems (NIDS) or web application firewalls (WAF) with rules targeting SQL injection can help detect exploitation attempts.

Mitigation Strategies

The immediate recommended step is to update the JetBooking plugin to version 4.0.4.2 or later, which contains the patch for this SQL Injection vulnerability.

Until the update can be applied, users should implement mitigation rules provided by Patchstack to block attack attempts against the vulnerable plugin.

Users may also seek assistance from their hosting provider or developer to apply these mitigations or enable automated mitigation and auto-update features offered by Patchstack.

Compliance Impact

The SQL Injection vulnerability in JetBooking versions 4.0.4.1 and below allows attackers to interact directly with the website's database and potentially steal sensitive information.

Such unauthorized access and data theft can lead to violations of data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data from unauthorized access.

Therefore, exploitation of this vulnerability could result in non-compliance with these common standards and regulations due to the risk of data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54820. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart