EUVD-2026-14017
GHSA-f468-x76g-m76r
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
The myLinksDump plugin for WordPress is vulnerable to SQL Injection via the 'sort_by' and 'sort_order' parameters in all versions up to, and including, 1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Analysis
The myLinksDump plugin for WordPress contains a SQL injection vulnerability in the 'sort_by' and 'sort_order' parameters affecting all versions up to and including 1.6. Authenticated attackers with administrator-level access can exploit insufficient input escaping and inadequate SQL query preparation to append malicious SQL queries and extract sensitive database information. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all administrator account activity and access logs for the myLinksDump plugin; identify all WordPress instances using this plugin. Within 7 days: Disable the myLinksDump plugin on all affected installations if business-critical functionality permits, or restrict admin access to only trusted personnel with mandatory MFA enforcement. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today