Skip to main content

Tainacan

5 CVEs product

Monthly

CVE-2026-6230 HIGH This Week

SQL injection in the Tainacan WordPress plugin (versions ≤ 1.0.3) lets unauthenticated attackers exfiltrate database contents through the 'geoquery' parameter, which is concatenated into a SQL query without proper escaping or prepared-statement binding. Because the injection is time-based blind, attackers infer data character-by-character from response delays rather than direct output. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the network-reachable, no-authentication vector makes it a realistic target for automated scanning once details spread.

WordPress SQLi Tainacan
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-13236 MEDIUM PATCH This Month

The Tainacan plugin for WordPress is vulnerable to SQL Injection via the 'collection_id' parameter in all versions up to, and including, 0.21.12 due to insufficient escaping on the user supplied. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

WordPress SQLi Tainacan
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-9221 MEDIUM PATCH This Month

The Tainacan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Tainacan
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-7135 MEDIUM PATCH This Month

The Tainacan plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_file' function in all versions up to, and including, 0.21.7. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Path Traversal Tainacan
NVD
CVSS 3.1
6.5
EPSS
2.7%
CVE-2023-47848 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tainacan.Org Tainacan allows Reflected XSS.20.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Tainacan
NVD
CVSS 3.1
7.1
EPSS
0.2%
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the Tainacan WordPress plugin (versions ≤ 1.0.3) lets unauthenticated attackers exfiltrate database contents through the 'geoquery' parameter, which is concatenated into a SQL query without proper escaping or prepared-statement binding. Because the injection is time-based blind, attackers infer data character-by-character from response delays rather than direct output. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the network-reachable, no-authentication vector makes it a realistic target for automated scanning once details spread.

WordPress SQLi Tainacan
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

The Tainacan plugin for WordPress is vulnerable to SQL Injection via the 'collection_id' parameter in all versions up to, and including, 0.21.12 due to insufficient escaping on the user supplied. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

WordPress SQLi Tainacan
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

The Tainacan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Tainacan
NVD
EPSS 3% CVSS 6.5
MEDIUM PATCH This Month

The Tainacan plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_file' function in all versions up to, and including, 0.21.7. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Path Traversal +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tainacan.Org Tainacan allows Reflected XSS.20.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Tainacan
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy