Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FireStorm Plugins FireStorm Professional Real Estate fs-real-estate-plugin allows Blind SQL Injection.This issue affects FireStorm Professional Real Estate: from n/a through <= 2.7.11.
Published: 2026-01-22
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection: Blind SQL Injection allowing data exfiltration and potential control of the database
Action: Patch or Disable
AI Analysis

Impact

FireStorm Professional Real Estate plugin suffers from a blind SQL Injection flaw caused by improper neutralization of special elements in an SQL command. An attacker who can supply crafted input to the vulnerable parameter can extract data from the database layer and potentially alter or delete content without authentication. The impact is a compromise of data confidentiality and integrity for the affected WordPress site.

Affected Systems

FireStorm Plugins FireStorm Professional Real Estate plugin versions up to and including 2.7.11 are vulnerable. No precise version range is provided beyond the latest affected major release.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.6, indicating high severity. The EPSS score is under 1%, suggesting a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Likely attack vectors involve a web-facing WordPress site where the plugin processes user-supplied data; an attacker would need to send crafted input to the vulnerable endpoint, which could trigger the blind SQL query.

Generated by OpenCVE AI on April 16, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FireStorm Professional Real Estate plugin to the newest released version (2.7.12 or later) to include the vendor-supplied fix.
  • If upgrading is not feasible immediately, disable or remove the plugin from the WordPress installation to remove the attack surface.
  • Review any custom code that interfaces with the plugin’s data layer and apply proper input sanitization or parameterized queries to mitigate similar injection vectors.

Generated by OpenCVE AI on April 16, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Firestorm Plugins
Firestorm Plugins firestorm Professional Real Estate
Wordpress
Wordpress wordpress
Vendors & Products Firestorm Plugins
Firestorm Plugins firestorm Professional Real Estate
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FireStorm Plugins FireStorm Professional Real Estate fs-real-estate-plugin allows Blind SQL Injection.This issue affects FireStorm Professional Real Estate: from n/a through <= 2.7.11.
Title WordPress FireStorm Professional Real Estate plugin <= 2.7.11 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Firestorm Plugins Firestorm Professional Real Estate
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:58.164Z

Reserved: 2026-01-07T13:44:06.688Z

Link: CVE-2026-22470

cve-icon Vulnrichment

Updated: 2026-01-27T20:47:53.485Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:35.763

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22470

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:00:11Z

Weaknesses