Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team WZone woozone allows Blind SQL Injection.This issue affects WZone: from n/a through <= 14.0.31.
AnalysisAI
A blind SQL injection vulnerability exists in AA-Team's WZone WordPress plugin through version 14.0.31, allowing unauthenticated attackers to extract sensitive database information without direct error-based feedback. The vulnerability affects all versions of WZone up to and including 14.0.31, enabling attackers to manipulate SQL queries through improperly neutralized user input. While no CVSS score or EPSS probability is available in the disclosed data, the blind SQL injection classification and the plugin's wide WordPress ecosystem adoption suggest moderate to high real-world risk, particularly if the vulnerability is easily triggerable and no authentication is required.
Technical ContextAI
The vulnerability represents a classic SQL injection (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) where user-supplied input is concatenated directly into SQL queries without proper parameterization or escaping. In the context of WZone (identified via CPE cpe:2.3:a:aa-team:wzone:*:*:*:*:*:*:*:*), this is a WordPress plugin vulnerability likely affecting database queries that process user-controlled parameters. Blind SQL injection specifically means the application does not return explicit error messages or result sets; instead, attackers infer database state through response time differences, conditional logic branches, or boolean-based techniques. This requires the vulnerable code path to accept unsanitized input into SQL WHERE clauses, ORDER BY statements, or other query construction points without using prepared statements or parameterized queries.
RemediationAI
Immediately upgrade AA-Team WZone to a patched version beyond 14.0.31 if available from the vendor; consult the official Patchstack advisory and AA-Team's security channels for the latest fixed release. If an immediate patch is unavailable, apply input validation and SQL escaping patches to the vulnerable code paths (typically in plugin query construction functions), or disable the WZone plugin until a patch is released. As an interim mitigation, restrict access to the vulnerable endpoint(s) via web application firewall (WAF) rules blocking suspicious SQL keywords (UNION, SELECT, SLEEP, BENCHMARK) in user input, enforce strict database user permissions (least privilege for the WordPress database user), and implement database activity monitoring to detect anomalous query patterns. Monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/woozone/) for patch availability and vendor communications from AA-Team.
Missing Authorization vulnerability in AA-Team WZone.0.10. Rated critical severity (CVSS 9.8), this vulnerability is rem
AA-Team WZone versions 14.0.31 and earlier contain a path traversal vulnerability that allows authenticated attackers to
Missing Authorization vulnerability in AA-Team WZone.0.10. Rated high severity (CVSS 8.8), this vulnerability is remotel
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15757
GHSA-pqmj-4w77-cj6j