Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach® CleverReach® WP cleverreach-wp allows SQL Injection.This issue affects CleverReach® WP: from n/a through <= 1.5.21.
Published: 2026-01-22
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Immediate Patch
AI Analysis

Impact

The CleverReach WP plugin contains an SQL injection flaw caused by improper neutralization of special characters in SQL statements (CWE‑89). An attacker who can send crafted input to the vulnerable plugin endpoints can inject arbitrary SQL, potentially reading, modifying, or deleting data from the WordPress database. This compromise could expose sensitive content, disrupt site functionality, and undermine data integrity.

Affected Systems

Any WordPress site running the CleverReach WP plugin version 1.5.21 or earlier is affected. The vulnerability applies regardless of the underlying operating system or WordPress core version, as the flaw exists in the plugin code itself.

Risk and Exploitability

The CVSS score of 9.3 classifies the issue as critical. The EPSS score of < 1 % indicates that active exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is crafted HTTP requests to the plugin’s input endpoints; this can be achieved by any user who can send requests to the site, though no additional authentication or privilege is required beyond this capability. The impact spans the entire database of the affected WordPress installation.

Generated by OpenCVE AI on April 28, 2026 at 09:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the CleverReach WP plugin to version 1.5.22 or later to eliminate the vulnerable code.
  • If a patch cannot be applied immediately, restrict access to the plugin’s forms and endpoints so that only administrators can interact with them, and consider disabling the plugin on sites that do not need it.
  • Deploy a web application firewall rule to detect and block common SQL injection payloads targeting the plugin’s endpoints.

Generated by OpenCVE AI on April 28, 2026 at 09:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

 cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach® CleverReach® WP cleverreach-wp allows SQL Injection.This issue affects CleverReach® WP: from n/a through <= 1.5.22. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach® CleverReach® WP cleverreach-wp allows SQL Injection.This issue affects CleverReach® WP: from n/a through <= 1.5.21.
Title WordPress CleverReach® WP plugin <= 1.5.22 - SQL Injection vulnerability WordPress CleverReach® WP plugin <= 1.5.21 - SQL Injection vulnerability

Wed, 28 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach® CleverReach® WP cleverreach-wp allows SQL Injection.This issue affects CleverReach® WP: from n/a through <= 1.5.22.
Title WordPress CleverReach® WP plugin <= 1.5.22 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:27.026Z

Reserved: 2025-12-15T10:01:03.747Z

Link: CVE-2025-68034

cve-icon Vulnrichment

Updated: 2026-01-28T17:27:59.831Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:08.850

Modified: 2026-04-27T19:16:22.937

Link: CVE-2025-68034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:00:06Z

Weaknesses