Skip to main content

Ottokit CVE-2026-39479

| EUVD-2026-20146 HIGH
SQL Injection (CWE-89)
2026-04-08 Patchstack GHSA-cvhv-59pg-p7r4
SQLi Ottokit
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:26 vuln.today
CVSS changed
Apr 13, 2026 - 17:22 NVD
7.6 (HIGH)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20146
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force OttoKit suretriggers allows Blind SQL Injection.This issue affects OttoKit: from n/a through <= 1.1.20.

AnalysisAI

Blind SQL injection in Brainstorm Force OttoKit (WordPress plugin suretriggers) versions up to 1.1.20 allows privileged attackers with high-level administrative access to extract sensitive database information and potentially cause service disruptions. CVSS 7.6 severity driven by changed scope (container escape to underlying WordPress database). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise admin credentials
Delivery
Authenticate to WordPress dashboard
Exploit
Access OttoKit plugin interface
Execution
Inject malicious SQL payload in vulnerable parameter
Persist
Execute blind SQLi extraction queries
Impact
Exfiltrate database contents or cause DoS
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must possess valid WordPress administrator credentials (high privilege requirement per CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is MODERATE despite the 7.6 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already compromised a WordPress administrator account (through phishing, credential stuffing, or session hijacking) authenticates to the WordPress dashboard and navigates to OttoKit plugin functionality. The attacker crafts malicious input containing SQL injection payloads (such as time-based blind injection using SLEEP() functions or boolean-based techniques with AND/OR conditions) into form fields or API parameters processed by the vulnerable plugin. …
Remediation Upgrade OttoKit (suretriggers) plugin to version 1.1.21 or later immediately, as this release addresses the SQL injection vulnerability according to Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/suretriggers/vulnerability/wordpress-ottokit-plugin-1-1-20-sql-injection-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress instances running suretriggers plugin versions up to 1.1.20 using vulnerability scanning tools or manual plugin inventory audit. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39479 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy