Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Network-reachable blind SQLi needing a low-privileged account (PR:L); scope change (S:C) as injection reaches core WordPress tables, high read impact, no integrity change.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CreativeWS CWS SVGicons cws-svgicons allows Blind SQL Injection.This issue affects CWS SVGicons: from n/a through <= 1.5.5.
AnalysisAI
Authenticated blind SQL injection in the CreativeWS CWS SVGicons WordPress plugin (all versions up to and including 1.5.5) allows a low-privileged authenticated user to inject crafted SQL into a database query, per a Patchstack advisory. Because the CVSS vector reports a scope change with high confidentiality impact, a successful attack can read data beyond the plugin's own tables, exposing the broader WordPress database. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress session with at least low-level privileges (CVSS PR:L) on a site where the CWS SVGicons plugin version 1.5.5 or earlier is installed and active; no user interaction is needed (UI:N) and the vulnerable request is reachable over the network (AV:N) with low complexity (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderately concerning but not top-tier emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or registers a low-privileged WordPress account on a site running CWS SVGicons ≤ 1.5.5 submits crafted input to a vulnerable plugin parameter, injecting boolean- or time-based SQL. Over repeated requests they blindly extract sensitive data such as password hashes from wp_users or secret keys from wp_options, and the scope change lets the query reach beyond the plugin's own data. … |
| Remediation | No vendor-released patch version is identified in the available data, so no exact fix version can be cited. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, disable and deactivate the CWS SVGicons plugin on all WordPress instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43403