Time-Based Blind SQL Injection in Eight Day Week Print Workflow Plugin for WordPress
CVE-2026-5028

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Eight Day Week Print Workflow
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-5028?

The Eight Day Week Print Workflow plugin for WordPress contains a vulnerability that allows for time-based blind SQL injection through the 'title' parameter in the pp-get-articles AJAX action. This is due to inadequate escaping of user-supplied input and a lack of proper preparation of the SQL query. Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to inject additional SQL queries, enabling them to access and extract sensitive information from the database.

Affected Version(s)

Eight Day Week Print Workflow 0 <= 1.2.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/eight-day-week...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Mar 27, 2026

Credit

Loganatha Vishnubalaji

CVE-2026-5028 Data

JSON