CVE-2026-54808 WP Travel CVE debrief

Who should care

Administrators and users of the WP Travel Gutenberg Blocks plugin, especially those using versions from n/a through 3.9.4, should be aware of this critical vulnerability and take necessary actions to secure their installations.

Technical summary

The CVE-2026-54808 vulnerability is caused by improper neutralization of special elements used in an SQL command, leading to a blind SQL injection vulnerability in the WP Travel Gutenberg Blocks plugin. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L. This vulnerability is classified under CWE-89.

Defensive priority

critical

Recommended defensive actions

• Update the WP Travel Gutenberg Blocks plugin to a version beyond 3.9.4.
• Implement a Web Application Firewall (WAF) to detect and prevent SQL injection attacks.
• Regularly monitor plugin and theme updates for known vulnerabilities.
• Use secure coding practices when developing custom plugins and themes.
• Limit database privileges for the user account used by the plugin.
• Perform regular security audits and vulnerability assessments.
• Consider using a security plugin to enhance WordPress security.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Patchstack. The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4].

Official resources