Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n/a through <= 1.5.0.
AnalysisAI
A SQL Injection vulnerability exists in Pebas Lisfinity Core, a WordPress plugin, affecting versions up to and including 1.5.0. This improper neutralization of special elements in SQL commands (CWE-89) allows attackers to inject arbitrary SQL code, potentially leading to unauthorized data access, modification, or deletion of the underlying database. The vulnerability has been documented by Patchstack and assigned EUVD-2026-15489, though no CVSS score, EPSS data, or confirmed active exploitation status is currently available in the provided intelligence.
Technical ContextAI
Lisfinity Core (cpe:2.3:a:pebas:lisfinity_core) is a WordPress plugin framework that processes user input for database queries. The vulnerability stems from improper input sanitization and parameterization in SQL query construction, classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). When user-supplied data is concatenated directly into SQL queries without proper escaping or prepared statements, attackers can inject malicious SQL syntax to manipulate query logic, bypass authentication checks, or extract sensitive database contents. This is a foundational web application security flaw common in WordPress plugins that interact with custom database tables or WordPress core tables without using parameterized queries or WordPress-provided sanitization functions.
RemediationAI
Immediately upgrade Lisfinity Core to a version newer than 1.5.0 (check Pebas official sources or WordPress plugin repository for the latest patched release). Until patching is complete, WordPress administrators should disable or deactivate the Lisfinity Core plugin entirely if it is not critical to operations, or restrict access to plugin-exposed functionality via web application firewall (WAF) rules, IP whitelisting, or authentication mechanisms. Additionally, apply WordPress security hardening: ensure all database credentials follow the principle of least privilege, enable WordPress security plugins that monitor for SQL injection attempts, and maintain regular database backups to enable rapid recovery if compromise occurs. Consult the official Patchstack advisory and any patches released by Pebas.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15489