Skip to main content

Geekybot

3 CVEs product

Monthly

CVE-2026-57679 CRITICAL Act Now

SQL injection in the GeekyBot WordPress plugin (versions 1.2.5 and earlier) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries per the CVSS PR:N vector. Reported by Patchstack and rated CVSS 9.3 (critical) with a scope-changed vector, the flaw enables confidentiality-impacting data extraction from the WordPress database without any authentication or user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SQLi Geekybot
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2026-40772 CRITICAL Act Now

Unauthenticated arbitrary file upload in the GeekyBot WordPress plugin (versions 1.2.2 and earlier) allows remote attackers to upload arbitrary files, including PHP webshells, to the web server without any authentication. Reported by Patchstack and tracked as EUVD-2026-36981, this issue carries a maximum 10.0 CVSS due to network-reachable exploitation with no privileges, no user interaction, and a scope change leading to full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the CWE-434 class is heavily targeted on WordPress plugins and routinely leads to full site compromise once disclosed.

File Upload Geekybot
NVD VulDB
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-39519 CRITICAL Act Now

Unauthenticated SQL injection in the GeekyBot WordPress plugin versions 1.2.0 and earlier allows remote attackers to inject arbitrary SQL queries against the WordPress database without any authentication or user interaction. The flaw was disclosed via Patchstack and carries a high CVSS 3.1 score of 9.3 with scope change, indicating impact beyond the plugin's own security context. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Geekybot
NVD
CVSS 3.1
9.3
EPSS
0.3%
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in the GeekyBot WordPress plugin (versions 1.2.5 and earlier) allows unauthenticated remote attackers to inject arbitrary SQL into backend database queries per the CVSS PR:N vector. Reported by Patchstack and rated CVSS 9.3 (critical) with a scope-changed vector, the flaw enables confidentiality-impacting data extraction from the WordPress database without any authentication or user interaction. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SQLi Geekybot
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Unauthenticated arbitrary file upload in the GeekyBot WordPress plugin (versions 1.2.2 and earlier) allows remote attackers to upload arbitrary files, including PHP webshells, to the web server without any authentication. Reported by Patchstack and tracked as EUVD-2026-36981, this issue carries a maximum 10.0 CVSS due to network-reachable exploitation with no privileges, no user interaction, and a scope change leading to full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though the CWE-434 class is heavily targeted on WordPress plugins and routinely leads to full site compromise once disclosed.

File Upload Geekybot
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the GeekyBot WordPress plugin versions 1.2.0 and earlier allows remote attackers to inject arbitrary SQL queries against the WordPress database without any authentication or user interaction. The flaw was disclosed via Patchstack and carries a high CVSS 3.1 score of 9.3 with scope change, indicating impact beyond the plugin's own security context. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Geekybot
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy