Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Crete Core crete-core allows Blind SQL Injection.This issue affects Crete Core: from n/a through <= 1.4.3.
Published: 2026-02-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Data Breach
Action: Patch Immediately
AI Analysis

Impact

The TeconceTheme Crete Core WordPress plugin contains a blind SQL injection flaw that allows a crafted request to execute arbitrary SQL commands. This vulnerability can lead to reading, modifying, or deleting database data, potentially exposing sensitive information or compromising site integrity.

Affected Systems

WordPress sites running the Crete Core plugin version 1.4.3 or earlier are affected. The flaw exists in all releases up to and including 1.4.3, so any site using these versions must be verified and updated.

Risk and Exploitability

The CVSS score of 9.3 signals critical severity, while the EPSS score of less than 1% indicates that exploits are currently rare. The vulnerability is not listed in the CISA KEV catalog, but the impact is severe if the blind injection is leveraged. Attackers would need to send a crafted request to a Crete Core endpoint; inference suggests the attack vector is via malicious HTTP requests that inject unsanitized SQL fragments. Given the database privileges granted by the plugin, exploitation could expose user data or alter site content.

Generated by OpenCVE AI on April 27, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Crete Core plugin to a version newer than 1.4.3 as soon as possible.
  • If an immediate update is not possible, deactivate the Crete Core plugin to remove the exploit surface.
  • Deploy a Web Application Firewall rule set that blocks or sanitizes potential SQL injection payloads targeting WordPress, such as filtering suspicious query strings or SQL keywords.
  • Monitor database and WordPress audit logs for unauthorized queries or unexpected changes.

Generated by OpenCVE AI on April 27, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Teconcetheme
Teconcetheme crete Core
Wordpress
Wordpress wordpress
Vendors & Products Teconcetheme
Teconcetheme crete Core
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Crete Core crete-core allows Blind SQL Injection.This issue affects Crete Core: from n/a through <= 1.4.3.
Title WordPress Crete Core plugin <= 1.4.3 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Teconcetheme Crete Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:47:02.640Z

Reserved: 2025-12-31T20:12:02.742Z

Link: CVE-2025-69305

cve-icon Vulnrichment

Updated: 2026-02-24T19:27:04.892Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:18.573

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:45:12Z

Weaknesses