CVE-2026-3334 - Vulnerability Analysis

Overview

CMS Commander WordPress plugin <= 2.288 contains a SQL injection caused by insufficient escaping of 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in restore workflow SQL queries, letting authenticated attackers with API key access extract sensitive database information.

Severity & Score

Impact

Authenticated attackers can extract sensitive database information, potentially compromising data confidentiality.

Mitigation

Update to a version later than 2.288 or the latest available version.

References

• https://www.wordfence.com/threat-intel/vulnerabilities/id/0311b546-01a4-4be8-97f3-6df6cd79c3fe?source=cve
• https://plugins.trac.wordpress.org/browser/cms-commander-client/tags/2.288/lib/CMSC/Backup.php#L1366
• https://plugins.trac.wordpress.org/browser/cms-commander-client/tags/2.288/lib/CMSC/Backup.php#L1639

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 21, 2026

🟠 CVE-2026-3334 - High (8.8) The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user suppli... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3334/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner