Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Potenzaglobalsolutions PGS Core allows SQL Injection. This issue affects PGS Core: from n/a through 5.9.0.
AnalysisAI
SQL injection in PGS Core WordPress plugin through version 5.9.0 allows authenticated attackers with low privileges to extract sensitive database contents and potentially degrade system availability. The vulnerability features low attack complexity and crosses scope boundaries (CVSS S:C), enabling lateral movement beyond the plugin's intended access boundaries. EPSS exploitation probability is minimal (0.03%, 10th percentile) and no active exploitation or public exploit code has been identified, suggesting this remains a disclosure-phase vulnerability requiring authenticated access.
Technical ContextAI
This vulnerability affects PGS Core, a WordPress plugin developed by Potenzaglobalsolutions. The flaw is a classic CWE-89 SQL injection vulnerability where user-controlled input is improperly sanitized before being incorporated into SQL queries. WordPress plugins commonly interact with the WordPress database (typically MySQL/MariaDB) using the wpdb class, and failures to use prepared statements or proper escaping functions (like esc_sql or $wpdb->prepare) create injection points. The changed scope (S:C) in the CVSS vector indicates the vulnerable component's security boundary can be exceeded, meaning an attacker could potentially access database tables beyond those intended for the plugin, affecting the broader WordPress installation and other plugins sharing the same database.
Affected ProductsAI
PGS Core WordPress plugin versions from earliest release through version 5.9.0 are vulnerable, as reported by Patchstack. The vulnerability affects WordPress installations where this plugin is active. Specific version introduction point is not documented (marked 'n/a' in advisory), suggesting the flaw may exist in the plugin's original codebase. Vendor advisory and technical details are available at Patchstack's vulnerability database: https://patchstack.com/database/wordpress/plugin/pgs-core/vulnerability/wordpress-pgs-core-plugin-5-9-0-sql-injection-vulnerability
RemediationAI
Update PGS Core plugin to version 5.9.1 or later if available through the WordPress plugin repository or vendor channels. Check the official Patchstack advisory at https://patchstack.com/database/wordpress/plugin/pgs-core/vulnerability/wordpress-pgs-core-plugin-5-9-0-sql-injection-vulnerability for confirmed patched version. If no patch is immediately available, implement compensating controls: Restrict PGS Core plugin functionality to only administrator-level users through WordPress role management, reducing the pool of potential authenticated attackers (trade-off: limits legitimate subscriber/contributor access to plugin features). Deploy a WordPress Web Application Firewall (WAF) like Wordfence or Sucuri with SQL injection signature detection to block common SQL injection patterns targeting the plugin (trade-off: may generate false positives requiring tuning). Consider temporarily deactivating PGS Core plugin if its functionality is non-critical until vendor releases a confirmed patch (trade-off: loss of plugin features). Implement database activity monitoring to detect anomalous SQL query patterns originating from WordPress application user accounts.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today