Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ProfitShare.ro WP Profitshare allows SQL Injection. This issue affects WP Profitshare: from n/a through 1.4.9.
AnalysisAI
SQL injection in WP Profitshare plugin for WordPress allows authenticated administrators to extract sensitive database contents or disrupt availability. Affects versions up to 1.4.9. The CVSS 7.6 score reflects high confidentiality impact with scope change, indicating potential database-wide access beyond the plugin's normal privileges. EPSS score of 0.21% (44th percentile) suggests low current exploitation probability, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Technical ContextAI
WP Profitshare is a WordPress plugin for integrating the ProfitShare.ro affiliate marketing platform. The vulnerability is a classic SQL injection (CWE-89) where user-supplied input is incorporated into SQL queries without proper sanitization or parameterization. While the exact injection point is not specified in available data, the CVSS vector indicates network-accessible functionality requiring high-privilege (administrator) authentication. The scope change (S:C) in the CVSS vector suggests the SQL injection can access database resources beyond the plugin's normal security boundary, potentially affecting other WordPress tables or plugins sharing the same database. WordPress plugins commonly implement SQL injection vulnerabilities in custom query implementations that bypass WordPress's prepared statement functions like $wpdb->prepare().
Affected ProductsAI
WordPress WP Profitshare plugin versions from earliest release through 1.4.9 are affected, per Patchstack advisory. The vulnerability was reported by audit@patchstack.com and documented at https://patchstack.com/database/wordpress/plugin/wp-profitshare/vulnerability/wordpress-wp-profitshare-plugin-1-4-9-sql-injection-vulnerability. No CPE strings were provided in the available data, but the product is distributed through the WordPress plugin repository as 'wp-profitshare'.
RemediationAI
Upgrade WP Profitshare plugin to version 1.5.0 or later if available (check WordPress plugin repository or vendor site at ProfitShare.ro for the patched release). The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-profitshare/vulnerability/wordpress-wp-profitshare-plugin-1-4-9-sql-injection-vulnerability should contain specific patch version details. If no patched version exists, implement compensating controls: restrict WordPress administrator role to only trusted personnel, enable database query logging to detect injection attempts, implement Web Application Firewall (WAF) rules to inspect POST/GET parameters for SQL syntax (note: may cause false positives in legitimate admin operations), or temporarily disable the WP Profitshare plugin if affiliate tracking can be paused (trade-off: loss of commission tracking and reporting functionality). For hardened environments, consider database-level access controls that limit the WordPress database user to only necessary tables, though this may break legitimate plugin functionality.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today