← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-1719 · CWE-89 · Disclosed 2026-05-05

Gravity Bookings <= 2

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a lockpick for a side door, not a skeleton key for the whole enterprise

CVE-2026-1719 is an unauthenticated SQL injection in the commercial WordPress plugin Gravity Bookings Premium (gf-bookings-premium) affecting versions up to and including 2.5.9. Wordfence and Patchstack both say the bug sits in handling of the category_id parameter and allows remote attackers to append SQL to an existing query, with the practical outcome being database data disclosure rather than clean code execution. Wordfence lists 2.6 as the patched release, and NVD shows the record as published on 2026-05-06.

The vendor/CNA HIGH 7.5 rating is technically defensible in a vacuum because it is network-reachable and pre-auth. In the real world, though, this is a niche premium WordPress booking add-on, there is no KEV listing, the supplied EPSS is only 0.00084, and the only public exploit material I found is a metadata-based PoC/WAF rule writeup rather than broad in-the-wild tradecraft. That combination pushes this down to MEDIUM for enterprise patch scheduling.

"Pre-auth SQLi is real, but the target set looks tiny and there is no evidence of active exploitation"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an exposed site running the plugin

The attacker first needs a public WordPress site with the premium Gravity Bookings code actually installed and active. In practice that means identifying a booking-enabled WordPress application, not just any WordPress host, and then confirming the vulnerable plugin path is reachable.
Conditions required:
  • Internet-facing WordPress site
  • Gravity Bookings Premium installed and enabled
  • Vulnerable version <= 2.5.9
Where this breaks in practice:
  • This is a niche premium plugin, not a mass-market core component
  • Many enterprise WordPress instances do not expose specialty booking workflows publicly
  • Plugin fingerprinting for paid add-ons is weaker than for free repo plugins
Detection/coverage: External scanners may flag WordPress but miss the paid plugin. Asset inventory, WP-CLI, and file-based version checks are more reliable than internet scans.
STEP 02

Hit the vulnerable request path with SQLi

The attacker then sends a crafted request carrying a malicious category_id value. A public PoC-style writeup from Atomic Edge *infers* the path may be wp-admin/admin-ajax.php with action gf_bookings_get_categories; if that inference is correct, this is a straightforward pre-auth SQLi target for tools like sqlmap or a manual UNION/time-based payload.
Conditions required:
  • Exact vulnerable endpoint/action exposed without auth
  • Unsanitized category_id reaches the database query
Where this breaks in practice:
  • The public PoC is metadata-based, so the exact weaponized route is not independently vendor-confirmed
  • Wordfence/Patchstack-style WAF rules are well-suited to obvious SQLi patterns on admin-ajax.php
  • Reverse proxies, rate limits, and managed WordPress hosting often add noise and blocking
Detection/coverage: Look for admin-ajax.php requests with SQL metacharacters, UNION/select patterns, or abnormal timing. WAFs and HTTP logs should catch the noisy versions of this step.
STEP 03

Extract useful data from the WordPress database

If the injection is exploitable, the attacker uses UNION, error-based, or blind/time-based techniques to read data the web app's database account can access. The likely prize is WordPress user hashes, email addresses, booking/customer data, and potentially API keys or plugin secrets stored in options tables.
Conditions required:
  • Database account has read access to sensitive tables
  • The query returns attacker-observable output or timing side channels
Where this breaks in practice:
  • Many real SQLi cases in WordPress become blind and slow rather than clean and high-bandwidth
  • Unknown table prefixes, WAF normalization, and response shaping slow automated extraction
  • The CVSS only claims confidentiality impact, which suggests this path is mainly data theft
Detection/coverage: Database error logs, slow-query spikes, repeated similar POSTs, and WAF SQLi signatures are useful. SQLi exploitation is often noisy once extraction starts.
STEP 04

Turn dumped data into follow-on access

The business impact only gets worse if extracted credentials or secrets can be reused elsewhere. Password hashes may be crackable offline, booking records may contain PII, and plugin/API tokens can open adjacent SaaS workflows, but none of that is guaranteed from the CVE alone.
Conditions required:
  • Sensitive data present in reachable tables
  • Credential reuse, weak passwords, or reusable tokens
Where this breaks in practice:
  • Modern password hashing, MFA, and isolated service accounts reduce pivot value
  • Many enterprises treat WordPress as a single-purpose marketing app with limited blast radius
  • No evidence found of widespread post-exploitation playbooks tied to this CVE
Detection/coverage: Watch for password spraying against WordPress/admin portals, unusual admin logins, and reuse of exfiltrated application credentials.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public exploitation evidence found. CISA ADP enrichment on the CVE record marks exploitation as none, and I found no KEV listing. Sources: OpenCVE, CISA KEV Catalog
Public PoC availabilityLimited/weak public PoC evidence. Atomic Edge published a metadata-based PoC/WAF-rule article that *infers* an AJAX action and shows sample payload structure; that is enough to lower attacker effort, but it is not the same as mature mass-exploitation tooling. Source: Atomic Edge
EPSS0.00084 from the CVE enrichment visible in OpenCVE. That is a very low exploitation-probability signal and a strong downward pressure on emergency patch priority.
KEV statusNot listed in the CISA KEV catalog. No ransomware-use signal or federal patch deadline amplifier.
CVSS vector meaningCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N means internet-reachable, low-complexity, pre-auth exploitation with confidentiality impact only. That is serious for a public web app, but the absence of integrity/availability impact matters.
Affected versionsGravity Bookings Premium <= 2.5.9 according to Wordfence, Patchstack, and NVD.
Fixed version2.6 is the patched version per Wordfence and Patchstack. I found no distro/backport packaging evidence; treat this as a direct plugin upgrade.
Exposure/populationProbably small. The public WordPress.org listing for the related Gravity Booking plugin shows fewer than 10 active installations for the free listing, which is not proof of premium install count but does suggest this is not a WordPress-at-scale population. Source: WordPress.org plugin page
Disclosure timelineWordfence shows publicly published 2026-05-05; the CVE record shows vendor notified 2026-04-13 and disclosed 2026-05-05; NVD shows the entry present with publication on 2026-05-06. Sources: Wordfence, OpenCVE, NVD
Researcher / reporting orgFinder credited as Abdulsamad Yusuf (0xVenus) / Envorasec in Wordfence and the OpenCVE record.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.4/10)

The decisive factor is reachability of the affected population, not the raw bug class. This is pre-auth SQLi on paper, but it appears confined to a small, premium WordPress plugin footprint with no active exploitation evidence, which makes it a real issue for exposed sites rather than a fleet-wide emergency.

HIGH Affected version and patched version (`<=2.5.9`, fixed in `2.6`)
MEDIUM Severity downgrade based on low prevalence and lack of exploitation evidence
LOW Exact vulnerable HTTP action/path inferred from public PoC material

Why this verdict

  • Downgrade for narrow population: this is a premium niche WordPress booking add-on, not WordPress core or a mass-market plugin, so the exposed population is much smaller than the CVSS baseline assumes.
  • Downgrade for low threat pressure: EPSS 0.00084, no KEV, and no solid reports of active campaigns materially reduce Monday-morning urgency.
  • Partial impact only: the published vector claims confidentiality impact without integrity or availability impact, which matters when converting bug severity into patch priority.
  • Some modern controls help: WAFs and WordPress security layers are unusually well-suited to stopping noisy SQLi against admin-ajax.php, especially once signatures exist.
  • Still not LOW: the attack is still unauthenticated and internet-reachable on vulnerable sites, so any organization actually running this plugin on a public booking flow should treat it as a legitimate external-app risk.

Why not higher?

A higher bucket would require a bigger real-world blast radius or stronger threat evidence. We do not have that here: no KEV, no observed exploitation, a very low EPSS signal, and a likely small install base for this product family. The vendor's 7.5 reflects the technical shape of the bug, but not the scarcity of likely targets.

Why not lower?

This is still pre-auth SQLi against a public web application component, which means a vulnerable exposed site can leak database content without prior compromise. Even if the affected population is small, the organizations that do run it on internet-facing booking pages are carrying genuine external attack surface.

05 · Compensating Control

What to do — in priority order.

  1. Block SQLi patterns on admin-ajax.php — Deploy or tune WAF rules to inspect category_id and related booking parameters for SQL metacharacters, UNION/select, boolean/time-based payloads, and abnormal POST bodies. For a MEDIUM verdict there is no noisgate mitigation SLA; do this as normal web hardening if patching is not immediate.
  2. Reduce public reachability of booking actions — If the booking workflow is not required on the public internet, move it behind access control, IP allowlists, or a reverse-proxy rule that only exposes the minimum endpoints. There is no mitigation SLA — go straight to the 365-day remediation window, but exposed internet forms are where this CVE matters.
  3. Turn on WordPress security telemetry — Log and alert on repeated hits to wp-admin/admin-ajax.php, especially requests carrying category_id, SQL keywords, long encoded strings, or timing anomalies. This helps catch opportunistic scanning while you validate whether the plugin is present.
  4. Constrain database and secret fallout — Verify the WordPress database account is not over-privileged and rotate any plugin/API secrets stored in options tables if you suspect prior exposure. This does not remove the vulnerability, but it cuts the value of successful data extraction.
What doesn't work
  • MFA on WordPress admin does not stop the initial bug because exploitation is unauthenticated.
  • Hiding or hardening wp-login.php does not help; the likely attack path targets public application requests, not the login page.
  • Perimeter EDR on endpoints is mostly irrelevant here because this is web app/database abuse, not an on-host malware execution problem.
06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host with read access to the WordPress install directory. Invoke it as sudo bash check_gf_bookings.sh /var/www/html; root is not strictly required, but you need permission to read plugin files under wp-content/plugins.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_gf_bookings.sh
# Detect vulnerable Gravity Bookings Premium versions on a WordPress host.
# Usage: bash check_gf_bookings.sh /path/to/wordpress
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

WP_ROOT="${1:-}"
if [[ -z "$WP_ROOT" ]]; then
  echo "UNKNOWN - usage: $0 /path/to/wordpress"
  exit 2
fi

PLUGIN_DIR="$WP_ROOT/wp-content/plugins/gf-bookings-premium"
if [[ ! -d "$PLUGIN_DIR" ]]; then
  echo "UNKNOWN - plugin directory not found: $PLUGIN_DIR"
  exit 2
fi

version=""
files=(
  "$PLUGIN_DIR/gf-bookings-premium.php"
  "$PLUGIN_DIR/gravity-bookings.php"
  "$PLUGIN_DIR/gravity-booking.php"
  "$PLUGIN_DIR/readme.txt"
)

extract_version() {
  local f="$1"
  if [[ ! -r "$f" ]]; then
    return 1
  fi

  local v
  v=$(grep -Eim1 '^[[:space:]]*(Version:|Stable tag:)' "$f" 2>/dev/null | sed -E 's/^[[:space:]]*(Version:|Stable tag:)[[:space:]]*//I' | tr -d '\r')
  if [[ -n "$v" ]]; then
    echo "$v"
    return 0
  fi

  v=$(grep -Eom1 "([0-9]+\.){1,3}[0-9]+" "$f" 2>/dev/null | head -n1 | tr -d '\r')
  if [[ -n "$v" ]]; then
    echo "$v"
    return 0
  fi

  return 1
}

for f in "${files[@]}"; do
  if v=$(extract_version "$f"); then
    version="$v"
    src="$f"
    break
  fi
done

if [[ -z "$version" ]]; then
  echo "UNKNOWN - unable to determine plugin version from $PLUGIN_DIR"
  exit 2
fi

# Normalize version by stripping non-version suffixes, e.g. 2.6-beta -> 2.6
norm=$(echo "$version" | grep -Eom1 '([0-9]+\.){1,3}[0-9]+')
if [[ -z "$norm" ]]; then
  echo "UNKNOWN - extracted unreadable version: $version"
  exit 2
fi

if [[ "$norm" == "2.6" ]] || [[ "$norm" == "2.6.0" ]]; then
  echo "PATCHED - Gravity Bookings Premium version $version detected from $src"
  exit 0
fi

if dpkg --compare-versions "$norm" le "2.5.9" 2>/dev/null; then
  echo "VULNERABLE - Gravity Bookings Premium version $version detected from $src"
  exit 1
fi

# Fallback for systems without dpkg semantics or unusual future versions
if printf '%s\n%s\n' "$norm" "2.5.9" | sort -V -C; then
  echo "VULNERABLE - Gravity Bookings Premium version $version detected from $src"
  exit 1
fi

if printf '%s\n%s\n' "2.6" "$norm" | sort -V -C; then
  echo "PATCHED - Gravity Bookings Premium version $version detected from $src"
  exit 0
fi

echo "UNKNOWN - version $version detected from $src but could not be classified confidently"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do an inventory sweep of any internet-facing WordPress estates and confirm whether gf-bookings-premium is actually present; most enterprises can probably close this as non-applicable quickly. If you do find exposed installs, there is no noisgate mitigation SLA — go straight to the 365-day remediation window for this MEDIUM verdict, but I would still patch the public sites in the next normal web-app change window and complete upgrade to 2.6+ within the noisgate remediation SLA of ≤365 days; if patching must wait, add WAF coverage and extra admin-ajax.php monitoring immediately as a sensible hardening measure, not an emergency response action.

Sources

  1. Wordfence vulnerability entry
  2. Patchstack database entry
  3. NVD record
  4. OpenCVE record with CNA timeline and CISA ADP enrichment
  5. Atomic Edge metadata-based PoC/WAF writeup
  6. Vendor changelog/documentation
  7. WordPress.org related Gravity Booking plugin page
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.