Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound FS Poster. This issue affects FS Poster: from n/a through 6.5.8.
AnalysisAI
SQL injection in FS Poster WordPress plugin version 6.5.8 and earlier allows authenticated attackers with low privileges to extract sensitive database information and potentially cause service disruption. The vulnerability enables cross-scope impact, meaning attackers can access resources beyond their authorized boundary. With a low EPSS score (0.09%, 25th percentile), widespread exploitation is not currently observed, though authenticated exploitation reduces the attack surface compared to unauthenticated flaws. Patchstack has documented this vulnerability, indicating security researcher awareness and potential for proof-of-concept development.
Technical ContextAI
FS Poster is a WordPress social media auto-posting plugin that schedules and publishes content across multiple platforms. This CWE-89 SQL injection vulnerability stems from improper neutralization of special SQL characters in user-supplied input, allowing attackers to inject malicious SQL commands into backend database queries. The CVSS vector indicates network-accessible exploitation with low attack complexity, requiring only low-privileged authentication (PR:L). The critical 'S:C' (Scope Changed) metric reveals the vulnerability allows attackers to affect resources beyond the vulnerable component's security scope-in WordPress context, this typically means escaping plugin permissions to access core WordPress database tables containing user credentials, site configuration, or other plugin data. The 'C:H' rating confirms high confidentiality impact through unrestricted database read access, while 'A:L' suggests potential for limited denial-of-service through resource-intensive queries or partial data corruption.
Affected ProductsAI
FS Poster WordPress plugin versions 6.5.8 and earlier are affected by this SQL injection vulnerability. The plugin, developed by NotFound, enables automated social media posting across platforms including Facebook, Twitter, Instagram, and LinkedIn. Organizations using any version up through 6.5.8 should verify their installation status. The vulnerability affects all WordPress installations running the affected plugin versions regardless of hosting environment or WordPress core version. Specific vulnerability details and affected code analysis are available through Patchstack's vulnerability database at the referenced advisory URL.
RemediationAI
Immediately upgrade FS Poster to version 6.5.9 or later if available-verify the vendor's official WordPress plugin repository or NotFound's website for the latest patched release. Review Patchstack's advisory at https://patchstack.com/database/wordpress/plugin/fs-poster/vulnerability/wordpress-fs-poster-plugin-6-5-8-sql-injection-vulnerability for vendor-specific remediation guidance and confirmed fix version. If a patched version is not yet available or immediate upgrade is not feasible, implement compensating controls: (1) Restrict WordPress user registration to prevent untrusted accounts from obtaining the low-privilege access required for exploitation-disable open registration in Settings > General and manually vet all contributor-level and above accounts; (2) Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in HTTP requests to FS Poster endpoints, though this may cause false positives with legitimate special characters in social media content; (3) Enable database query logging to detect exploitation attempts showing unusual query patterns or UNION-based injection signatures; (4) Consider temporarily disabling the FS Poster plugin if social media automation is non-critical until a confirmed patch is applied, noting this will halt scheduled posts and require manual social media management. Each mitigation carries trade-offs: registration restrictions limit legitimate user onboarding, WAF rules may block valid content, query logging creates performance overhead, and plugin disabling eliminates functionality.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today