Skip to main content

Wzone CVE-2026-27039

| EUVDEUVD-2026-15757 HIGH
SQL Injection (CWE-89)
2026-03-25 Patchstack GHSA-pqmj-4w77-cj6j
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15757
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team WZone woozone allows Blind SQL Injection.This issue affects WZone: from n/a through <= 14.0.31.

AnalysisAI

A blind SQL injection vulnerability exists in AA-Team's WZone WordPress plugin through version 14.0.31, allowing unauthenticated attackers to extract sensitive database information without direct error-based feedback. The vulnerability affects all versions of WZone up to and including 14.0.31, enabling attackers to manipulate SQL queries through improperly neutralized user input. While no CVSS score or EPSS probability is available in the disclosed data, the blind SQL injection classification and the plugin's wide WordPress ecosystem adoption suggest moderate to high real-world risk, particularly if the vulnerability is easily triggerable and no authentication is required.

Technical ContextAI

The vulnerability represents a classic SQL injection (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) where user-supplied input is concatenated directly into SQL queries without proper parameterization or escaping. In the context of WZone (identified via CPE cpe:2.3:a:aa-team:wzone:*:*:*:*:*:*:*:*), this is a WordPress plugin vulnerability likely affecting database queries that process user-controlled parameters. Blind SQL injection specifically means the application does not return explicit error messages or result sets; instead, attackers infer database state through response time differences, conditional logic branches, or boolean-based techniques. This requires the vulnerable code path to accept unsanitized input into SQL WHERE clauses, ORDER BY statements, or other query construction points without using prepared statements or parameterized queries.

RemediationAI

Immediately upgrade AA-Team WZone to a patched version beyond 14.0.31 if available from the vendor; consult the official Patchstack advisory and AA-Team's security channels for the latest fixed release. If an immediate patch is unavailable, apply input validation and SQL escaping patches to the vulnerable code paths (typically in plugin query construction functions), or disable the WZone plugin until a patch is released. As an interim mitigation, restrict access to the vulnerable endpoint(s) via web application firewall (WAF) rules blocking suspicious SQL keywords (UNION, SELECT, SLEEP, BENCHMARK) in user input, enforce strict database user permissions (least privilege for the WordPress database user), and implement database activity monitoring to detect anomalous query patterns. Monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/woozone/) for patch availability and vendor communications from AA-Team.

Share

CVE-2026-27039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy