CVE-2026-9010

Name of the Vulnerable Software and Affected Versions Boost plugin for WordPress versions prior to 2.0.4

Description The plugin is susceptible to time-based SQL Injection, a technique where an attacker sends queries that cause the database to wait for a specific amount of time before responding, allowing them to infer data. This occurs due to insufficient escaping of user-supplied parameters and a lack of proper preparation of SQL queries. Unauthenticated attackers can append additional SQL queries to extract sensitive information from the database via the 'current url' and user name parameters.

Recommendations Update the plugin to version 2.0.4 or later. As a temporary workaround, restrict access to the parameters 'current url' and user name to minimize the risk of exploitation.