Skip to main content

SEO Booster EUVDEUVD-2026-44864

| CVE-2026-15445 MEDIUM
SQL Injection (CWE-89)
2026-07-16 Wordfence GHSA-5cpx-56hx-wvjh
4.9
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

Administrator credentials required to reach the vulnerable GSC list table; read-only blind injection yields no integrity or availability impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 04:46 vuln.today
CVE Published
Jul 16, 2026 - 03:44 cve.org
MEDIUM 4.9

DescriptionCVE.org

The SEO Booster plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Although esc_sql() and sanitize_text_field() are applied, neither neutralizes SQL keywords, commas, parentheses, or subquery syntax in an unquoted ORDER BY context, leaving the clause fully attacker-controlled.

AnalysisAI

Time-based SQL injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) allows authenticated administrators to extract sensitive database contents by manipulating the unquoted 'orderby' parameter in the Google Search Console list table component. The root cause is that developer-applied sanitization functions esc_sql() and sanitize_text_field() fail to neutralize SQL keywords, subquery syntax, commas, or parentheses when used in an ORDER BY clause context, leaving the clause fully attacker-controlled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress administrator credentials
Delivery
Authenticate to wp-admin panel
Exploit
Access SEO Booster GSC list table endpoint
Execution
Inject time-based SQL payload into 'orderby' parameter
Persist
Bypass incomplete esc_sql() sanitization in ORDER BY context
Impact
Extract sensitive database contents via timing side-channel

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account with administrator-level role or higher - confirmed by CVSS PR:H. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.9 score with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N accurately captures the threat profile: network-accessible exploitation with low complexity, but constrained to accounts with WordPress administrator-level privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained WordPress administrator credentials - through phishing, credential stuffing, or a separate vulnerability - authenticates to the admin panel and navigates to the SEO Booster Google Search Console list table view. By injecting a time-based payload such as a conditional SLEEP() expression into the 'orderby' parameter, they observe measurable response delays that allow them to infer database content one character at a time, ultimately extracting WordPress user credentials, API keys, or other sensitive data stored in the database. …
Remediation A patch changeset is available in the WordPress plugin repository at https://plugins.trac.wordpress.org/changeset?reponame=&old=3606177%40seo-booster&new=3606177%40seo-booster - site operators should update the SEO Booster plugin to the first released version incorporating this changeset; a specific fixed release version number is not independently confirmed from the provided data and should be verified in the WordPress plugin changelog before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44864 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy