Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMart Team Member allows Blind SQL Injection.

This issue affects Team Member: from n/a through 8.5.
Published: 2026-05-07
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WPMart Team Member plugin suffers from an input validation flaw that allows an attacker to inject SQL statements into the database. A blind SQL injection vulnerability can be leveraged to extract sensitive information from the database, thereby compromising the confidentiality of data stored by the WordPress site.

Affected Systems

Any site running the WordPress Team Member plugin, versions up through 8.5, is affected. The plugin is distributed by WPMart and is commonly installed on WordPress sites to manage team member profiles.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.6, indicating a high risk. EPSS data is unavailable and the issue is not listed in CISA’s KEV catalog, but the lack of readily disclosed exploitation evidence does not reduce the potential impact. Because the flaw occurs in a blind SQL injection scenario, it likely requires an attacker to interact with a vulnerable parameter—typically through plugin configuration or form input—without necessarily possessing advanced privileges. The attack vector, therefore, is inferred to be a local or authenticated user level interaction with the plugin’s input fields.

Generated by OpenCVE AI on May 7, 2026 at 09:22 UTC.

Remediation

Vendor Solution

Update the WordPress Team Member Plugin to the latest available version (at least 8.6).

OpenCVE Recommended Actions

  • Update the WordPress Team Member plugin to version 8.6 or later.
  • Disable or uninstall the plugin if an upgrade cannot be performed immediately.
  • Verify that other WordPress plugins and the core theme are up to date and monitor for unusual database activity or error logs that may indicate injection attempts.

Generated by OpenCVE AI on May 7, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 08:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMart Team Member allows Blind SQL Injection. This issue affects Team Member: from n/a through 8.5.
Title WordPress Team Member plugin <= 8.5 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-07T12:04:44.554Z

Reserved: 2025-12-15T10:01:19.543Z

Link: CVE-2025-68060

cve-icon Vulnrichment

Updated: 2026-05-07T12:04:39.879Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T09:16:26.640

Modified: 2026-05-07T14:00:48.567

Link: CVE-2025-68060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T09:30:06Z

Weaknesses