CVE-2025-22691: 
WordPress vulnerability analysis and mitigation

CVE-2025-22691 is a SQL Injection vulnerability affecting the WP Travel WordPress plugin versions through 10.1.0. The vulnerability was discovered by Trương Hữu Phúc and publicly disclosed on January 31, 2025. This security issue allows authenticated users with Author-level privileges or higher to perform SQL injection attacks (Patchstack).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) with a CVSS v3.1 Base Score of 7.6 (High). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), and has a changed scope (S:C). The impact includes high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L) (NVD).

If successfully exploited, this vulnerability could allow an authenticated attacker to directly interact with the database, potentially leading to unauthorized access to sensitive information stored in the WordPress database. The high CVSS score of 7.6 indicates significant potential impact, particularly concerning data confidentiality (Patchstack).

As of the disclosure date, no official fix has been released for this vulnerability. Website administrators running affected versions of the WP Travel plugin should consider implementing additional security measures and monitoring database access patterns until a patch becomes available (Patchstack).