Skip to main content

Lisfinity Core CVE-2026-22484

| EUVDEUVD-2026-15489 CRITICAL
SQL Injection (CWE-89)
2026-03-25 Patchstack
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15489
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n/a through <= 1.5.0.

AnalysisAI

A SQL Injection vulnerability exists in Pebas Lisfinity Core, a WordPress plugin, affecting versions up to and including 1.5.0. This improper neutralization of special elements in SQL commands (CWE-89) allows attackers to inject arbitrary SQL code, potentially leading to unauthorized data access, modification, or deletion of the underlying database. The vulnerability has been documented by Patchstack and assigned EUVD-2026-15489, though no CVSS score, EPSS data, or confirmed active exploitation status is currently available in the provided intelligence.

Technical ContextAI

Lisfinity Core (cpe:2.3:a:pebas:lisfinity_core) is a WordPress plugin framework that processes user input for database queries. The vulnerability stems from improper input sanitization and parameterization in SQL query construction, classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). When user-supplied data is concatenated directly into SQL queries without proper escaping or prepared statements, attackers can inject malicious SQL syntax to manipulate query logic, bypass authentication checks, or extract sensitive database contents. This is a foundational web application security flaw common in WordPress plugins that interact with custom database tables or WordPress core tables without using parameterized queries or WordPress-provided sanitization functions.

RemediationAI

Immediately upgrade Lisfinity Core to a version newer than 1.5.0 (check Pebas official sources or WordPress plugin repository for the latest patched release). Until patching is complete, WordPress administrators should disable or deactivate the Lisfinity Core plugin entirely if it is not critical to operations, or restrict access to plugin-exposed functionality via web application firewall (WAF) rules, IP whitelisting, or authentication mechanisms. Additionally, apply WordPress security hardening: ensure all database credentials follow the principle of least privilege, enable WordPress security plugins that monitor for SQL injection attempts, and maintain regular database backups to enable rapid recovery if compromise occurs. Consult the official Patchstack advisory and any patches released by Pebas.

Share

CVE-2026-22484 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy