Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network-reachable SQLi (AV:N/AC:L/PR:N/UI:N); scope change to WP core tables (S:C); high read impact, but realistic SQLi also permits limited writes so I:L rather than I:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions.
AnalysisAI
Unauthenticated SQL injection in the GeekyBot WordPress plugin versions 1.2.0 and earlier allows remote attackers to inject arbitrary SQL queries against the WordPress database without any authentication or user interaction. The flaw was disclosed via Patchstack and carries a high CVSS 3.1 score of 9.3 with scope change, indicating impact beyond the plugin's own security context. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
GeekyBot is a WordPress plugin (CPE cpe:2.3:a:ahmad:geekybot) that, like most WordPress extensions, interacts with the underlying MySQL/MariaDB database via the global $wpdb abstraction. CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) indicates that user-controllable input is concatenated into SQL statements without proper use of prepared statements or $wpdb->prepare() sanitization, allowing query structure manipulation. The scope change (S:C) in the CVSS vector reflects that injected SQL can read or affect WordPress core tables - including wp_users and wp_options - which lie outside the plugin's intended security boundary.
RemediationAI
No vendor-released patch identified at time of analysis - the EUVD entry lists the fixed version as 'n/a' and no patched release is cited in the references. Until the plugin author publishes a fix above 1.2.0, the most reliable mitigation is to deactivate and remove the GeekyBot plugin from affected WordPress sites; this eliminates exposure but removes any chatbot functionality the plugin provided. As compensating controls, deploy a WAF with WordPress-specific SQLi rulesets (Patchstack, Wordfence, or equivalent) to filter suspicious query parameters reaching the plugin's endpoints - this reduces but does not eliminate risk and may produce false positives on legitimate traffic. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/geeky-bot/vulnerability/wordpress-geekybot-plugin-1-2-0-sql-injection-vulnerability for an updated fixed version, and restrict outbound database connectivity and review wp_users / wp_options for unauthorized changes as a defensive baseline.
Unauthenticated arbitrary file upload in the GeekyBot WordPress plugin (versions 1.2.2 and earlier) allows remote attack
SQL injection in the GeekyBot WordPress plugin (versions 1.2.5 and earlier) allows unauthenticated remote attackers to i
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36956
GHSA-67gj-5jwj-xjgh