A critical SQL injection vulnerability in the Crocoblock JetBooking plugin allows unauthenticated attackers to gain unauthorized access to the application database.

This is an unauthenticated SQL injection vulnerability, meaning no user privileges are required for an attacker to manipulate backend database queries through the plugin.

The CVSS score of 9.3 highlights the extreme severity of this flaw. An attacker can bypass authentication, extract sensitive customer or administrative data, and potentially modify or delete database content, leading to severe operational disruption and regulatory non-compliance.

Immediate Action: Update the JetBooking plugin to the latest version provided by Crocoblock to remediate the SQL injection flaw.

Proactive Monitoring: Audit database logs for anomalous query patterns, such as unexpected UNION statements or unauthorized access to sensitive tables.

Compensating Controls: Deploy a WAF with rules configured to detect and block common SQL injection patterns targeting WordPress plugins.

Public Exploit Available: Unknown

SQL injection remains a primary vector for data breaches. Administrators should treat this vulnerability with high urgency, applying the vendor-supplied patch as soon as possible to protect the integrity and confidentiality of the application database.