Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Requires an authenticated admin (PR:H) over the network with low complexity; SQLi yields full DB read (C:H), limited integrity impact (I:L), no scope change (S:U) since the database is the same security authority.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Administrator SQL Injection in WP All Import <= 4.0.1 versions.
AnalysisAI
SQL injection in the WP All Import WordPress plugin (versions 4.0.1 and earlier) allows an authenticated administrator to inject arbitrary SQL into backend database queries, enabling extraction of sensitive data beyond what the plugin UI exposes. The CVSS 3.1 vector (AV:N/AC:L/PR:H) confirms it is network-reachable but requires high privileges, and the original vector's S:C/C:H/A:L rates impact as elevated. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress administrator account (CVSS PR:H), so this is not a remote unauthenticated flaw - the limiting factor is that the attacker must already hold or compromise admin-level access to the target site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and lean toward a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been granted WordPress administrator access navigates to a WP All Import function and submits an import request containing a crafted parameter that is concatenated into a backend SQL query, allowing them to read arbitrary database tables such as user credentials or other sensitive records. No public POC is identified in the provided data, and the low attack complexity (AC:L) means that once admin access exists, exploitation is straightforward. … |
| Remediation | Upgrade WP All Import to a version later than 4.0.1 once the vendor publishes a fixed release; the provided data does not include an exact patched version, so confirm the fixed version against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-all-import/vulnerability/wordpress-wp-all-import-plugin-4-0-1-sql-injection-vulnerability?_s_id=cve) before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations to identify those running WP All Import version 4.0.1 or earlier; review administrator account activity logs for the past 90 days. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39744
GHSA-mf27-wm76-5323