Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jahertor WP Featured Entries allows SQL Injection. This issue affects WP Featured Entries: from n/a through 1.0.
AnalysisAI
SQL injection in WP Featured Entries WordPress plugin versions up to 1.0 enables authenticated attackers with low-level privileges to extract sensitive database contents and potentially cause database denial of service through scope change. Reported by Patchstack audit team, this vulnerability has low exploitation probability (EPSS 0.09%, 25th percentile) and no confirmed active exploitation or public POC. The scope-changing nature (S:C) allows attackers to impact resources beyond the vulnerable component, escalating the attack's reach despite requiring initial authentication.
Technical ContextAI
This vulnerability stems from CWE-89 (SQL Injection) in the WP Featured Entries WordPress plugin. SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterization, allowing attackers to manipulate database commands. The plugin version 1.0 and earlier fail to properly neutralize special SQL characters in user input. The WordPress ecosystem commonly suffers from SQL injection in custom plugins due to developers directly concatenating user input into database queries rather than using WordPress's prepared statement APIs like $wpdb->prepare(). The CVSS vector indicates network-based exploitation with low attack complexity, requiring only low-privilege authentication but no user interaction, making it relatively straightforward to exploit once access is obtained.
Affected ProductsAI
Jahertor WP Featured Entries WordPress plugin versions from inception through version 1.0 are confirmed vulnerable per Patchstack vulnerability database entry. The plugin operates within the WordPress content management system ecosystem. No specific CPE data provided, but affects WordPress installations with this plugin active. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/wp-featured-entries/vulnerability/wordpress-wp-featured-entries-1-0-sql-injection-vulnerability.
RemediationAI
Immediately remove or disable WP Featured Entries plugin version 1.0 and earlier until a patched version becomes available. No vendor-released patched version is confirmed at time of analysis based on available data sources. Check Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-featured-entries/vulnerability/wordpress-wp-featured-entries-1-0-sql-injection-vulnerability for updated patch status. As compensating controls, restrict WordPress user role assignments to trusted administrators only, audit existing contributor and author accounts for necessity, and implement database activity monitoring to detect unusual SQL query patterns. Consider replacing WP Featured Entries with alternative featured content plugins that have active maintenance and security audit history. Review WordPress database logs for suspicious queries containing SQL injection patterns (UNION, SELECT, OR 1=1 constructs) originating from low-privilege user sessions. Note that restricting user roles may impact legitimate content workflow if contributors require access.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today