{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24367", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:32.873Z", "datePublished": "2026-01-22T16:52:45.218Z", "dateUpdated": "2026-04-28T16:14:48.277Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "traveler", "product": "Traveler", "vendor": "shinetheme", "versions": [{"changes": [{"at": "3.2.8", "status": "unaffected"}], "lessThanOrEqual": "3.2.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:10.581Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.<p>This issue affects Traveler: from n/a through < 3.2.8.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.8."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:48.277Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-8-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Traveler theme < 3.2.8 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:00:39.604486Z", "id": "CVE-2026-24367", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:00:45.545Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24367", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-22T14:42:32.873Z", "datePublished": "2026-01-22T16:52:45.218Z", "dateUpdated": "2026-04-28T14:00:45.545Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "traveler", "product": "Traveler", "vendor": "shinetheme", "versions": [{"changes": [{"at": "3.2.8", "status": "unaffected"}], "lessThanOrEqual": "3.2.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:10.581Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.<p>This issue affects Traveler: from n/a through < 3.2.8.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.8."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:04.528Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-8-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Traveler theme < 3.2.8 - SQL Injection vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24367", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T14:00:39.604486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T21:31:17.832Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.8."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n incorrecta de elementos especiales utilizados en un comando SQL ('Inyecci\u00f3n SQL') en shinetheme Traveler traveler permite Inyecci\u00f3n SQL Ciega. Este problema afecta a Traveler: desde n/a hasta &lt; 3.2.8."}], "id": "CVE-2026-24367", "lastModified": "2026-04-28T15:16:06.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:40.183", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-8-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T17:58:45.858689+00:00", "value": {"mitigation_remediation": ["Upgrade the Traveler theme to version 3.2.8 or later.", "If an upgrade cannot be performed immediately, disable or restrict public access to any forms or URLs supplied by the theme that accept user input.", "Deploy a web application firewall or custom input\u2011validation rules specifically tuned to block SQL injection patterns for the theme\u2019s database queries.", "Regularly monitor server logs for anomalous SQL activity related to the theme to detect potential exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Blind SQL Injection enabled by unsanitized inputs"}, "threat_synthesis": {"affected_systems": "All versions of Shinetheme Traveler from the first released version through any version prior to 3.2.8 are affected. The entry points are likely form fields or URL parameters handled by the theme where user-supplied data is passed directly into database queries.", "description_and_impact": "This vulnerability is an SQL injection flaw in the Traveler theme that allows an attacker to submit specially crafted input that is incorporated into an SQL command without proper sanitization. The flaw can lead to blind SQL injection, giving an attacker read or modify access to the site\u2019s database. The weakness matches CWE\u201189, and if exploited it could compromise confidentiality, integrity, or availability of the data stored by the WordPress site.", "risk_and_exploitability": "The CVSS v3.1 score of 8.5 indicates high severity. The EPSS of less than 1% suggests low current exploitation probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would likely need to locate a vulnerable instance, craft an input that triggers the injection, and wait for a blind response, which can be inferred from lack of error messages or timing differences. Given the high severity and potential impact, the risk escalates if the compromised data contains sensitive user information."}}}}, "created": "2026-01-23T16:28:35.822162+00:00", "updated": "2026-04-28T18:00:14.090782+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}