Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Contributor account required (PR:L) over the network with low complexity; SQLi reads data across DB scope (S:C, C:H) with minor availability effect and no integrity change.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions.
AnalysisAI
Authenticated SQL injection in the WordPress plugin nicen-localize-image (versions 1.4.9 and earlier) allows users holding the low-privilege Contributor role to inject arbitrary SQL into the WordPress database backend. Because the CVSS scope is changed and confidentiality impact is High, a Contributor can read data beyond the plugin's own remit, potentially extracting other users' credentials or secrets from the wp_users/wp_options tables. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account with at least the WordPress Contributor role (CVSS PR:L) on a site running nicen-localize-image version 1.4.9 or earlier; no user interaction and no special product configuration beyond the plugin being active are needed (AV:N/AC:L/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L, base 8.5 High) indicates network-reachable, low-complexity exploitation requiring only low privileges (a Contributor account) and no user interaction, with a scope change amplifying impact and High confidentiality loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a Contributor account on a WordPress site running nicen-localize-image <= 1.4.9, then submits a crafted request to the plugin's vulnerable endpoint with a malicious SQL payload in a parameter that is concatenated into a database query. Leveraging the changed scope and High confidentiality impact, they extract sensitive data such as administrator password hashes or secret keys from other database tables. … |
| Remediation | No vendor-released patch version is identified in the available data, so the primary action is to consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/nicen-localize-image/vulnerability/wordpress-nicen-localize-image-plugin-1-4-9-sql-injection-vulnerability) for the fixed release and upgrade to any version above 1.4.9 as soon as it is confirmed available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for nicen-localize-image usage and contributor role assignments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41312
GHSA-vf3q-vv2j-4h2g