Description
Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST parameter. Attackers can send crafted requests to the admin-ajax.php endpoint with malicious SQL payloads in the 'idsignup' parameter to read arbitrary data from the database.
Published: 2026-06-09
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an SQL injection that allows an attacker to retrieve arbitrary information from the database by sending a malicious value in the 'idsignup' POST parameter to the admin‑ajax.php endpoint. This flaw falls under the Input Validation weakness CWE‑89 and can be exploited by unauthenticated users.

Affected Systems

Affected systems are WordPress sites that have installed the Wow Viral Signups 2.1 plugin. The plugin's unescaped 'idsignup' parameter in admin‑ajax.php is the attack surface; all installations of version 2.1 are impacted. If newer plugin versions exist, they may mitigate the flaw, but their availability is not stated.

Risk and Exploitability

The CVSS v3.1 score of 8.8 indicates a high severity, while no EPSS data is provided. The vulnerability is not listed in CISA KEV. Attackers can exploit it by sending crafted HTTP POST requests to the admin‑ajax.php endpoint, bypassing authentication and executing arbitrary SQL. Because the flaw does not require elevated privileges, the risk is widespread and could expose sensitive data such as user credentials or content. Deployment of effective mitigations is therefore critical.

Generated by OpenCVE AI on June 9, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Wow Viral Signups plugin to the latest patched version
  • Disable the plugin until a fix is released if an update is not yet available
  • Configure the web application firewall to block SQL injection attempts targeting the 'idsignup' parameter

Generated by OpenCVE AI on June 9, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wow-company
Wow-company viral-signup
Vendors & Products Wordpress
Wordpress wordpress
Wow-company
Wow-company viral-signup

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST parameter. Attackers can send crafted requests to the admin-ajax.php endpoint with malicious SQL payloads in the 'idsignup' parameter to read arbitrary data from the database.
Title Wow Viral Signups 2.1 WordPress Plugin SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wordpress Wordpress
Wow-company Viral-signup
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T13:09:18.331Z

Reserved: 2026-06-08T11:46:10.924Z

Link: CVE-2017-20245

cve-icon Vulnrichment

Updated: 2026-06-09T13:09:15.080Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T13:16:34.270

Modified: 2026-06-09T13:51:18.770

Link: CVE-2017-20245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:15:06Z

Weaknesses