SQL Injection Vulnerability in WP Travel Plugin by WordPress
CVE-2026-45218

7.7HIGH

Key Information:

Vendor: WordPress
Status: WP Travel
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-45218?

The WP Travel plugin for WordPress is susceptible to an SQL Injection vulnerability, allowing attackers to execute unauthorized SQL commands. This issue arises from improper neutralization of user input in SQL execution, which can lead to data exposure or manipulation. Users of WP Travel plugin versions up to 11.4.0 should take immediate action to protect their websites from potential attacks. It's crucial to regularly update plugins and adhere to best security practices to safeguard sensitive data.

Affected Version(s)

WP Travel 0 <= 11.4.0

References

https://patchstack.com/database/Wordpress/Plugin/wp-trave...

vdb-entry

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 11, 2026

Credit

Nhut Quang | Patchstack Bug Bounty Program

CVE-2026-45218 Data

JSON