PT-2026-26850 · WordPress · Wordpress+1
Ronnachai Chaipha
+1
·
Published
2026-03-21
·
Updated
2026-03-21
·
CVE-2026-3334
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
CMS Commander plugin for WordPress versions prior to 2.289
Description
The CMS Commander plugin for WordPress is susceptible to SQL Injection due to insufficient input validation and query preparation. Specifically, the
or blogname, or blogdescription, and or admin email parameters are not adequately sanitized, allowing authenticated attackers with CMS Commander API key access to inject malicious SQL queries into existing database queries during the restore workflow. This could lead to the extraction of sensitive information from the database.Recommendations
Update the CMS Commander plugin to version 2.289 or later.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cms Commander
Wordpress