Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tainacan Tainacan tainacan allows Blind SQL Injection.This issue affects Tainacan: from n/a through <= 1.0.3.
AnalysisAI
Blind SQL injection in the Tainacan WordPress plugin (versions up to and including 1.0.3) lets remote unauthenticated attackers inject crafted SQL into backend database queries. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates exploitation requires no authentication or user interaction, and the changed scope plus high confidentiality impact drive the 9.3 score. There is no public exploit identified at the time of analysis and the issue is not listed in CISA KEV, but the low attack complexity and unauthenticated reach make it a high-priority patch candidate.
Technical ContextAI
Tainacan is an open-source WordPress plugin used to build and manage digital repositories and collections (commonly deployed by museums, archives, libraries, and universities). The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controllable input reaches a database query without proper sanitization or parameterization. The 'blind' classification indicates the attacker does not see query results directly in responses but infers data through boolean/time-based behavioral differences. The CVSS scope-changed flag (S:C) suggests the injection can affect resources beyond the vulnerable component's security authority - consistent with SQLi reaching the shared WordPress/MySQL backend that other site components rely on.
RemediationAI
No vendor-released patch version is identified in the available data, so a specific fixed release cannot be cited; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/tainacan/vulnerability/wordpress-tainacan-plugin-1-0-3-sql-injection-vulnerability?_s_id=cve) and the plugin's WordPress.org page for an updated version above 1.0.3 and upgrade as soon as one is published. Until a fixed release is confirmed, restrict access to the affected endpoints by placing the WordPress site or its admin/REST paths behind a WAF or virtual-patching rule (Patchstack and similar services offer signatures for this CVE) - note this may produce false positives on legitimate query parameters. As an interim measure, deactivate the Tainacan plugin if its functionality is not business-critical, accepting the trade-off that collection/repository features will be unavailable. Additionally, limit network exposure of the site to trusted users where feasible and apply least-privilege to the WordPress database account to reduce the blast radius of a successful injection.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32192
GHSA-9h9p-24mg-7v88