{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3496", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-03T18:32:46.594Z", "datePublished": "2026-03-11T13:24:34.677Z", "dateUpdated": "2026-04-08T16:46:03.744Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:03.744Z"}, "affected": [{"vendor": "Crocoblock", "product": "JetBooking", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "title": "JetBooking <= 4.0.3 - Unauthenticated SQL Injection via 'check_in_date' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/35e33e30-e102-445a-99d0-27adb7fc4638?source=cve"}, {"url": "https://crocoblock.com/changelog/?plugin=jet-booking"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "timeline": [{"time": "2026-03-03T18:48:28.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-10T17:33:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:44:06.009516Z", "id": "CVE-2026-3496", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:44:20.430Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3496", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:44:06.009516Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:44:13.853Z"}}], "cna": {"title": "JetBooking <= 4.0.3 - Unauthenticated SQL Injection via 'check_in_date' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "Crocoblock", "product": "JetBooking", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.0.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-03T18:48:28.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-10T17:33:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/35e33e30-e102-445a-99d0-27adb7fc4638?source=cve"}, {"url": "https://crocoblock.com/changelog/?plugin=jet-booking"}], "descriptions": [{"lang": "en", "value": "The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:03.744Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3496", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:46:03.744Z", "dateReserved": "2026-03-03T18:32:46.594Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-11T13:24:34.677Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "id": "CVE-2026-3496", "lastModified": "2026-03-12T21:08:22.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-11T14:16:28.980", "references": [{"source": "security@wordfence.com", "url": "https://crocoblock.com/changelog/?plugin=jet-booking"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/35e33e30-e102-445a-99d0-27adb7fc4638?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.0.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "JetBooking", "source": "cna", "vendor": "Crocoblock"}, "product": "jetbooking", "vendor": "crocoblock"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T16:33:40.507032+00:00", "value": {"mitigation_remediation": ["Verify JetBooking plugin version; if 4.0.3 or earlier, schedule an update.", "Upgrade JetBooking to the latest available version (4.0.4 or newer) from Crocoblock.", "If an immediate upgrade is not possible, restrict the 'check_in_date' parameter to valid date ranges or filter input server\u2011side.", "Monitor the database and application logs for suspicious SELECT or UNION queries that may indicate exploitation.", "Check Crocoblock's changelog page or support forum for any announced mitigations or hotfixes beyond the official patch."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted database access via SQL injection"}, "threat_synthesis": {"affected_systems": "The affected product is the Crocoblock JetBooking plugin for WordPress. All installations running version 4.0.3 or earlier are impacted. No specific build numbers are listed beyond the upper bound of 4.0.3, so any build in that range should be considered vulnerable.", "description_and_impact": "The JetBooking WordPress plugin is vulnerable to SQL Injection through the 'check_in_date' parameter in all versions up to 4.0.3. The vulnerability arises from insufficient input escaping and lack of prepared statements, allowing unauthenticated attackers to append arbitrary SQL code to the existing query. This can be exploited to retrieve sensitive data from the database, such as user credentials, booking details, or other confidential information.", "risk_and_exploitability": "CVSS score 7.5 indicates a high severity with potential data exposure. EPSS score is below 1%, suggesting that exploitation is not currently widespread, and KEV catalog does not list it as a known exploited vulnerability. The attack vector is unauthenticated, so any user with access to the website\u2019s query parameters could trigger the injection, making the risk high for exposed sites. The vulnerability requires no additional privileges, and could be used to extract arbitrary tables or data from the database."}}}}, "created": "2026-03-12T10:05:57.470643+00:00", "updated": "2026-03-20T14:37:18.859509+00:00", "vendors": ["crocoblock", "crocoblock$PRODUCT$jetbooking", "wordpress", "wordpress$PRODUCT$wordpress"]}