Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
7DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Blind SQL Injection.This issue affects Miraculous Core Plugin: from n/a through < 2.1.2.
AnalysisAI
A blind SQL injection vulnerability exists in the Miraculous Core Plugin for WordPress (versions prior to 2.1.2), allowing attackers to execute arbitrary SQL commands against the underlying database without displaying query results directly. This vulnerability affects all installations of the kamleshyadav Miraculous Core Plugin below version 2.1.2, enabling attackers to extract sensitive data, modify database contents, or potentially achieve remote code execution depending on database permissions and WordPress configuration. While CVSS and EPSS scores are not yet available and KEV status is unknown, the SQL injection classification (CWE-89) and reporting via Patchstack indicate this is a validated vulnerability with a confirmed patch available in version 2.1.2.
Technical ContextAI
This vulnerability stems from improper neutralization of special characters in SQL commands, classified under CWE-89 (SQL Injection). The Miraculous Core Plugin (identified by CPE cpe:2.3:a:kamleshyadav:miraculous_core_plugin:*:*:*:*:*:*:*:*) fails to properly sanitize or parameterize user-supplied input before incorporating it into database queries executed by WordPress. The blind SQL injection variant is particularly dangerous because the attacker cannot see query results directly; instead, they must infer data through time-based delays, boolean-based responses, or error-based techniques. This commonly affects plugin functionality that processes user input through custom database queries without using WordPress prepared statements (wpdb->prepare()) or proper escaping functions.
RemediationAI
Immediately upgrade the Miraculous Core Plugin to version 2.1.2 or later, which contains the security patch resolving the SQL injection vulnerability. This patch is available through the official WordPress plugin repository and can be deployed via WordPress admin dashboard (Plugins → Updates) or command-line tools like WP-CLI. Until patching is feasible, implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the plugin's endpoints, restrict database user permissions to the minimum required for plugin functionality (principle of least privilege), and monitor database query logs for suspicious activity patterns indicative of blind SQL injection attempts (unusual timing delays or repeated conditional queries). Additionally, ensure WordPress and all other plugins are kept current, as defense-in-depth reduces overall attack surface.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15876