Skip to main content

SureDash CVE-2026-54813

HIGH
SQL Injection (CWE-89)
2026-06-17 Patchstack
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.5 HIGH

Network-reachable WordPress plugin endpoint reachable by any authenticated low-privileged user (PR:L), no interaction; blind SQLi yields full DB read (C:H) with scope change beyond plugin, integrity unaffected.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:25 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force SureDash allows Blind SQL Injection.

This issue affects SureDash: from n/a through 1.8.0.

AnalysisAI

Blind SQL injection in Brainstorm Force SureDash WordPress plugin versions up to and including 1.8.0 allows authenticated low-privileged attackers to inject arbitrary SQL commands through unsanitized input. The scope-changed CVSS 8.5 score reflects that exploitation can impact resources beyond the vulnerable component, exposing sensitive WordPress database contents to remote attackers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged WordPress account
Delivery
Identify SureDash vulnerable endpoint
Exploit
Submit crafted SQL payload in plugin parameter
Execution
Infer query results via blind boolean/timing side channel
Persist
Iteratively exfiltrate database contents (users, hashes, secrets)
Impact
Pivot using stolen credentials or wp-config secrets

Vulnerability AssessmentAI

Exploitation Exploitation requires the SureDash plugin to be installed and activated on a WordPress site at version 1.8.0 or earlier, and the attacker must hold valid credentials for an authenticated WordPress account (PR:L from the CVSS vector indicates a low-privileged role such as Subscriber or Contributor is sufficient - admin rights are not needed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L indicates network-reachable, low-complexity exploitation requiring only low privileges (any authenticated WordPress user role, potentially Subscriber) and no user interaction, with a scope change reflecting that SQL access reaches the entire WordPress database beyond the plugin's own context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a low-privileged account on a WordPress site running SureDash <= 1.8.0 (or uses any existing low-privileged credential) and sends crafted requests to a vulnerable plugin endpoint that concatenates input into a SQL query. Using boolean or time-based blind techniques, they iteratively extract WordPress user password hashes, secret keys, or PII from custom tables. …
Remediation Upstream fix availability is not independently confirmed from the provided data, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/suredash/vulnerability/wordpress-suredash-plugin-1-8-0-sql-injection-vulnerability and upgrade SureDash to any release later than 1.8.0 once published by Brainstorm Force. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations to identify instances running SureDash version 1.8.0 or below; document affected environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54813 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy