Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Categories collapsing-categories allows Blind SQL Injection.This issue affects Collapsing Categories: from n/a through <= 3.0.9.
AnalysisAI
A blind SQL injection vulnerability exists in the WordPress Collapsing Categories plugin (versions up to 3.0.9) that allows authenticated attackers with low privileges to execute arbitrary SQL queries against the database. The vulnerability enables extraction of sensitive data including user credentials, though it does not allow direct data modification. With a CVSS score of 8.5 and no current exploitation in the wild (not in KEV), this represents a serious but not critical risk for WordPress sites using this plugin.
Technical ContextAI
The Collapsing Categories plugin by robfelty is a WordPress extension that provides collapsible category listings for posts. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), where user-supplied input is not properly sanitized before being incorporated into database queries. This classic SQL injection flaw allows attackers to inject malicious SQL code through plugin parameters, though the 'blind' nature means results must be inferred through timing or boolean-based responses rather than direct output. The affected product is identified as cpe:2.3:a:robfelty:collapsing-categories:*:*:*:*:*:wordpress:*:* covering all versions through 3.0.9.
RemediationAI
The primary remediation is to update the Collapsing Categories plugin to a version newer than 3.0.9 if available, or remove the plugin entirely if it is not actively used. As an immediate workaround, administrators should review and restrict user privileges to minimize the number of accounts that could exploit this vulnerability, ensuring only trusted users have contributor-level access or higher. Additionally, implementing a Web Application Firewall (WAF) with SQL injection protection rules can help block exploitation attempts while awaiting a patch. Monitor WordPress security advisories and the plugin's official repository for security updates.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11860