CVE-2026-3334

Name of the Vulnerable Software and Affected Versions CMS Commander plugin for WordPress versions prior to 2.289

Description The CMS Commander plugin for WordPress is susceptible to SQL Injection due to insufficient input validation and query preparation. Specifically, the or blogname, or blogdescription, and or admin email parameters are not adequately sanitized, allowing authenticated attackers with CMS Commander API key access to inject malicious SQL queries into existing database queries during the restore workflow. This could lead to the extraction of sensitive information from the database.

Recommendations Update the CMS Commander plugin to version 2.289 or later.