Skip to main content

WebinarIgnition CVE-2026-40797

| EUVDEUVD-2026-27227 CRITICAL
SQL Injection (CWE-89)
2026-05-05 Patchstack GHSA-67fw-37c8-893f
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 05, 2026 - 07:31 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection.

This issue affects WebinarIgnition: from n/a through 4.08.253.

AnalysisAI

Blind SQL injection in WebinarIgnition WordPress plugin allows remote unauthenticated attackers to extract sensitive database contents including user credentials and private webinar data. The vulnerability affects all versions through 4.08.253 and requires no special configuration. Patchstack publicly disclosed this vulnerability with database reference, though no active exploitation has been confirmed via CISA KEV at time of analysis. The CVSS 9.3 critical rating reflects network-accessible attack vector with scope change, indicating potential for lateral movement beyond the vulnerable component.

Technical ContextAI

This vulnerability affects the WebinarIgnition WordPress plugin developed by Saleswonder LLC, identified by CPE cpe:2.3:a:saleswonder_llc:webinarignition. The flaw is a classic CWE-89 SQL injection vulnerability where user-controlled input is improperly sanitized before being incorporated into SQL queries. The 'Blind' SQL injection variant means attackers cannot see direct query results but can infer data through timing attacks, boolean-based logic, or error messages. WordPress plugins commonly suffer from SQL injection when using direct database queries via $wpdb without prepared statements or when bypassing WordPress's built-in sanitization functions. The changed scope (S:C) in the CVSS vector suggests the vulnerability may allow attackers to access resources beyond the plugin's security boundary, potentially affecting the entire WordPress database including other plugins and core tables.

RemediationAI

Immediate action required: Upgrade WebinarIgnition to version 4.08.254 or later if available, or contact Saleswonder LLC directly to confirm patch availability as the provided references do not specify an exact patched version number. Check the official WordPress plugin repository and Saleswonder's website for security updates. Until patching is possible, implement these specific compensating controls with noted trade-offs: (1) Deploy a Web Application Firewall (WAF) with SQL injection signature rules targeting the WebinarIgnition plugin endpoints - this adds latency and may cause false positives blocking legitimate traffic; (2) Restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules - this prevents remote administration and breaks legitimate remote workflows; (3) Enable WordPress database activity monitoring to detect blind SQL injection attempts through query pattern analysis - this generates alert fatigue without preventing exploitation. Consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/webinar-ignition/vulnerability/wordpress-webinarignition-plugin-4-06-08-sql-injection-vulnerability?_s_id=cve for additional vendor guidance. If no patch materializes within 48 hours, strongly consider deactivating the plugin until resolution given the unauthenticated remote attack vector.

Share

CVE-2026-40797 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy