CMS Commander plugin for WordPress all versions up to and including 2.288
Summary
This vulnerability is an unauthenticated SQL injection flaw in the restore workflow of the CMS Commander WordPress plugin. Insufficient escaping of user-supplied parameters and lack of proper query preparation allows attackers to append malicious SQL code to existing queries. Attackers with CMS Commander API key access can exploit this flaw to extract sensitive information from the site's underlying database.
Remediation
Update the CMS Commander plugin to the latest patched version that properly sanitizes user input and secures SQL queries. If no patched version is available from the vendor, disable and remove the plugin from your WordPress site to mitigate the risk of exploitation.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.