CVE-2026-3334 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 21, 2026
CMS Commander WordPress plugin - SQL Injection
Published: March 21, 2026Updated: March 21, 2026Remote Exploitable
Overview
CMS Commander WordPress plugin <= 2.288 contains a SQL injection caused by insufficient escaping of 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in restore workflow SQL queries, letting authenticated attackers with API key access extract sensitive database information.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Authenticated attackers can extract sensitive database information, potentially compromising data confidentiality.
Mitigation
Update to a version later than 2.288 or the latest available version.
References
- https://plugins.trac.wordpress.org/browser/cms-commander-client/tags/2.288/lib/CMSC/Backup.php#L1366
- https://plugins.trac.wordpress.org/browser/cms-commander-client/tags/2.288/lib/CMSC/Backup.php#L1639
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0311b546-01a4-4be8-97f3-6df6cd79c3fe?source=cve
Related Resources
Details
- CVE ID
- CVE-2026-3334
- Severity
- High
- CVSS Score
- 8.8
- Type
- sql_injection
- Status
- new
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H