Skip to main content

Miraculous Core Plugin CVE-2026-32516

| EUVDEUVD-2026-15876 HIGH
SQL Injection (CWE-89)
2026-03-25 Patchstack
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:14 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.1.2
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15876
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Blind SQL Injection.This issue affects Miraculous Core Plugin: from n/a through < 2.1.2.

AnalysisAI

A blind SQL injection vulnerability exists in the Miraculous Core Plugin for WordPress (versions prior to 2.1.2), allowing attackers to execute arbitrary SQL commands against the underlying database without displaying query results directly. This vulnerability affects all installations of the kamleshyadav Miraculous Core Plugin below version 2.1.2, enabling attackers to extract sensitive data, modify database contents, or potentially achieve remote code execution depending on database permissions and WordPress configuration. While CVSS and EPSS scores are not yet available and KEV status is unknown, the SQL injection classification (CWE-89) and reporting via Patchstack indicate this is a validated vulnerability with a confirmed patch available in version 2.1.2.

Technical ContextAI

This vulnerability stems from improper neutralization of special characters in SQL commands, classified under CWE-89 (SQL Injection). The Miraculous Core Plugin (identified by CPE cpe:2.3:a:kamleshyadav:miraculous_core_plugin:*:*:*:*:*:*:*:*) fails to properly sanitize or parameterize user-supplied input before incorporating it into database queries executed by WordPress. The blind SQL injection variant is particularly dangerous because the attacker cannot see query results directly; instead, they must infer data through time-based delays, boolean-based responses, or error-based techniques. This commonly affects plugin functionality that processes user input through custom database queries without using WordPress prepared statements (wpdb->prepare()) or proper escaping functions.

RemediationAI

Immediately upgrade the Miraculous Core Plugin to version 2.1.2 or later, which contains the security patch resolving the SQL injection vulnerability. This patch is available through the official WordPress plugin repository and can be deployed via WordPress admin dashboard (Plugins → Updates) or command-line tools like WP-CLI. Until patching is feasible, implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the plugin's endpoints, restrict database user permissions to the minimum required for plugin functionality (principle of least privilege), and monitor database query logs for suspicious activity patterns indicative of blind SQL injection attempts (unusual timing delays or repeated conditional queries). Additionally, ensure WordPress and all other plugins are kept current, as defense-in-depth reduces overall attack surface.

Share

CVE-2026-32516 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy