Time-Based Blind SQL Injection in Tainacan Plugin for WordPress
CVE-2026-6230

7.5HIGH

Key Information:

Vendor

WordPress

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-6230?

The Tainacan plugin for WordPress is susceptible to a time-based blind SQL Injection via the 'geoquery' parameter in all versions up to and including 1.0.3. This vulnerability arises from inadequate escaping of user-supplied input combined with insufficient preparation of the SQL query. Attackers, without needing authentication, can exploit this flaw to append malicious SQL statements, potentially extracting confidential data from the database.

Affected Version(s)

Tainacan 0 <= 1.0.3

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

daroo
.