Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Golemiq 0 Day Analytics allows SQL Injection.This issue affects 0 Day Analytics: from n/a through 4.0.0.
AnalysisAI
SQL injection in the 0 Day Analytics WordPress plugin versions through 4.0.0 allows high-privilege authenticated attackers to execute arbitrary SQL queries with cross-scope impact. Reported by Patchstack audit team, this CWE-89 flaw enables database extraction despite requiring admin-level credentials. EPSS score of 0.05% (16th percentile) indicates low predicted exploitation probability, and no active exploitation or public POC has been identified.
Technical ContextAI
This vulnerability stems from improper neutralization of SQL special characters (CWE-89) within the 0 Day Analytics WordPress plugin. The affected component likely involves dynamic SQL query construction where user-controlled input from high-privilege administrators is concatenated into SQL statements without adequate parameterization or escaping. The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the plugin's security boundary, potentially impacting the underlying WordPress database or other plugins sharing the same database instance. As a WordPress plugin vulnerability, the attack surface exists within the WordPress administrative interface where privileged users interact with analytics functionality.
Affected ProductsAI
Golemiq 0 Day Analytics WordPress plugin versions from initial release through version 4.0.0 are confirmed vulnerable based on Patchstack advisory data. The vulnerability affects all installations running any version up to and including 4.0.0. Advisory details and vulnerability confirmation available at https://patchstack.com/database/wordpress/plugin/0-day-analytics/vulnerability/wordpress-0-day-analytics-plugin-4-0-0-sql-injection-vulnerability
RemediationAI
Primary mitigation requires upgrading to 0 Day Analytics version 4.0.1 or later if available, per Patchstack vulnerability database recommendations (verify current patched version at https://patchstack.com/database/wordpress/plugin/0-day-analytics/). If no patched version exists or immediate upgrade is not feasible, implement compensating controls: restrict WordPress admin role assignments to essential personnel only with documented business justification, enforce multi-factor authentication for all administrator accounts to reduce credential compromise risk, enable WordPress database query logging to detect SQL injection attempts in analytics plugin interactions, and consider temporarily disabling the 0 Day Analytics plugin if analytics functionality is not business-critical until a verified patch is released. Note that restricting admin access may impact legitimate analytics administration workflows and require process adjustments. Monitor Patchstack and the plugin's WordPress repository for official security updates.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today