CVE-2026-2495
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Description
The WPNakama - Team and multi-Client Collaboration, Editorial and Project Management plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the '/wp-json/WPNakama/v1/boards' REST API endpoint in all versions up to, and including, 0.6.5. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Analysis
Unauthenticated attackers can exploit SQL injection in the WPNakama WordPress plugin (versions up to 0.6.5) through the 'order' parameter in the REST API /wp-json/WPNakama/v1/boards endpoint due to insufficient input escaping. This allows unauthorized extraction of sensitive database information from any WordPress installation running the vulnerable plugin. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress installations for WPNakama plugin presence and version; disable the plugin if not critical to operations. Within 7 days: Contact WPNakama vendor for patch ETA; implement WAF rules to block malicious REST API requests to /wp-json/WPNakama/v1/boards; restrict API access via IP allowlist if feasible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today