SQL Injection Vulnerability in SEO Booster Plugin for WordPress
CVE-2026-15445

4.9MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
16 July 2026

What is CVE-2026-15445?

The SEO Booster plugin for WordPress is susceptible to time-based SQL Injection through the 'orderby' parameter in versions 7.3.1 and earlier. This vulnerability arises from inadequate escaping of user-supplied parameters and insufficient handling of SQL queries. Authenticated users with administrator-level permissions can exploit this flaw to insert additional SQL queries, potentially leading to the extraction of sensitive database information. Although certain security functions like esc_sql() and sanitize_text_field() are employed, they do not effectively neutralize critical SQL syntax elements in the unquoted ORDER BY context, allowing malicious manipulation of the query.

Affected Version(s)

SEO Booster 0 <= 7.3.1

References

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.