Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Network-reachable WordPress plugin endpoint reachable by any authenticated low-privileged user (PR:L), no interaction; blind SQLi yields full DB read (C:H) with scope change beyond plugin, integrity unaffected.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force SureDash allows Blind SQL Injection.
This issue affects SureDash: from n/a through 1.8.0.
AnalysisAI
Blind SQL injection in Brainstorm Force SureDash WordPress plugin versions up to and including 1.8.0 allows authenticated low-privileged attackers to inject arbitrary SQL commands through unsanitized input. The scope-changed CVSS 8.5 score reflects that exploitation can impact resources beyond the vulnerable component, exposing sensitive WordPress database contents to remote attackers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the SureDash plugin to be installed and activated on a WordPress site at version 1.8.0 or earlier, and the attacker must hold valid credentials for an authenticated WordPress account (PR:L from the CVSS vector indicates a low-privileged role such as Subscriber or Contributor is sufficient - admin rights are not needed). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L indicates network-reachable, low-complexity exploitation requiring only low privileges (any authenticated WordPress user role, potentially Subscriber) and no user interaction, with a scope change reflecting that SQL access reaches the entire WordPress database beyond the plugin's own context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a low-privileged account on a WordPress site running SureDash <= 1.8.0 (or uses any existing low-privileged credential) and sends crafted requests to a vulnerable plugin endpoint that concatenates input into a SQL query. Using boolean or time-based blind techniques, they iteratively extract WordPress user password hashes, secret keys, or PII from custom tables. … |
| Remediation | Upstream fix availability is not independently confirmed from the provided data, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/suredash/vulnerability/wordpress-suredash-plugin-1-8-0-sql-injection-vulnerability and upgrade SureDash to any release later than 1.8.0 once published by Brainstorm Force. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations to identify instances running SureDash version 1.8.0 or below; document affected environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today