Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Network SQLi with low-privilege auth (PR:L) and no UI; primarily data disclosure (C:H) with limited write potential (I:L); scope kept Unchanged as injection stays within the DB security authority.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Inventory WP Inventory Manager wp-inventory-manager allows Blind SQL Injection.This issue affects WP Inventory Manager: from n/a through <= 2.4.0.
AnalysisAI
Blind SQL injection in the WP Inventory Manager WordPress plugin (versions up to and including 2.4.0) lets an authenticated attacker with low privileges inject crafted SQL into database queries, enabling extraction of arbitrary database contents such as user credentials and secrets. Reported by Patchstack, the flaw carries a CVSS 8.5 (scope-changed) rating; no public exploit has been identified at time of analysis and it is not listed in CISA KEV, so risk is currently theoretical but high-impact.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session at low privilege (CVSS PR:L) on a WordPress site running WP Inventory Manager version 2.4.0 or earlier, with network access to the affected plugin endpoint; no user interaction is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L) indicates a network-reachable, low-complexity attack requiring only low-privilege authentication and no user interaction, with high confidentiality impact and a changed scope - consistent with SQL injection reaching data beyond the plugin's own boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or registers a low-privilege authenticated account on the WordPress site submits a crafted parameter to a WP Inventory Manager endpoint, injecting boolean- or time-based SQL that the plugin passes unsanitized to the database. By observing response differences or delays, the attacker iteratively extracts sensitive data such as administrator password hashes and secret keys from the wp_users and wp_options tables. … |
| Remediation | No vendor-released patched version is identified in the provided data (the range ends at <= 2.4.0 with no fix version named), so treat any release later than 2.4.0 as the target and verify a fixed build via the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-inventory-manager/vulnerability/wordpress-wp-inventory-manager-plugin-2-4-0-sql-injection-vulnerability?_s_id=cve) and the WordPress.org plugin page before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all WordPress installations using WP Inventory Manager versions 2.4.0 or earlier and restrict plugin access to trusted administrators only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wp Inventory Manager
View allThe WP Inventory Manager WordPress plugin before 2.1.0.14 does not have CSRF checks, which could allow attackers to make
The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter before outputting it
The WP Inventory Manager WordPress plugin before 2.1.0.12 does not sanitise and escape the message parameter before outp
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43392