Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection.
This issue affects WebinarIgnition: from n/a through 4.08.253.
AnalysisAI
Blind SQL injection in WebinarIgnition WordPress plugin allows remote unauthenticated attackers to extract sensitive database contents including user credentials and private webinar data. The vulnerability affects all versions through 4.08.253 and requires no special configuration. Patchstack publicly disclosed this vulnerability with database reference, though no active exploitation has been confirmed via CISA KEV at time of analysis. The CVSS 9.3 critical rating reflects network-accessible attack vector with scope change, indicating potential for lateral movement beyond the vulnerable component.
Technical ContextAI
This vulnerability affects the WebinarIgnition WordPress plugin developed by Saleswonder LLC, identified by CPE cpe:2.3:a:saleswonder_llc:webinarignition. The flaw is a classic CWE-89 SQL injection vulnerability where user-controlled input is improperly sanitized before being incorporated into SQL queries. The 'Blind' SQL injection variant means attackers cannot see direct query results but can infer data through timing attacks, boolean-based logic, or error messages. WordPress plugins commonly suffer from SQL injection when using direct database queries via $wpdb without prepared statements or when bypassing WordPress's built-in sanitization functions. The changed scope (S:C) in the CVSS vector suggests the vulnerability may allow attackers to access resources beyond the plugin's security boundary, potentially affecting the entire WordPress database including other plugins and core tables.
RemediationAI
Immediate action required: Upgrade WebinarIgnition to version 4.08.254 or later if available, or contact Saleswonder LLC directly to confirm patch availability as the provided references do not specify an exact patched version number. Check the official WordPress plugin repository and Saleswonder's website for security updates. Until patching is possible, implement these specific compensating controls with noted trade-offs: (1) Deploy a Web Application Firewall (WAF) with SQL injection signature rules targeting the WebinarIgnition plugin endpoints - this adds latency and may cause false positives blocking legitimate traffic; (2) Restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules - this prevents remote administration and breaks legitimate remote workflows; (3) Enable WordPress database activity monitoring to detect blind SQL injection attempts through query pattern analysis - this generates alert fatigue without preventing exploitation. Consult Patchstack advisory at https://patchstack.com/database/wordpress/plugin/webinar-ignition/vulnerability/wordpress-webinarignition-plugin-4-06-08-sql-injection-vulnerability?_s_id=cve for additional vendor guidance. If no patch materializes within 48 hours, strongly consider deactivating the plugin until resolution given the unauthenticated remote attack vector.
More in Webinarignition
View allDeserialization of Untrusted Data vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/inst
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder Team W
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27227
GHSA-67fw-37c8-893f