Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n/a through <= 1.5.0.
Published: 2026-03-25
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection exposing database data
Action: Patch Immediately
AI Analysis

Impact

The vulnerability originates from improper escaping of user-supplied input before it is incorporated into an SQL query. This flaw allows an attacker to inject arbitrary SQL commands, potentially reading, modifying, or deleting records in the WordPress database. The weakness is classified as CWE‑89 and represents a classic injection flaw that directly compromises data confidentiality and integrity.

Affected Systems

WordPress sites that have the Lisfinity Core plugin (distributed by pebas) installed in any version up through 1.5.0 are vulnerable. The issue is independent of the underlying operating system or web server; it exists wherever the affected plugin code is present within the WordPress installation.

Risk and Exploitability

With a CVSS score of 9.3 the flaw is deemed critical. Although the EPSS score is below 1 %—suggesting a low probability of exploitation in the wild—the potential impact is high. Attackers can remotely exploit the flaw by sending crafted HTTP requests that trigger the injection point, enabling full read/write/delete access to the database. The vulnerability is not listed in the CISA KEV catalog, but its severity warrants immediate attention.

Generated by OpenCVE AI on March 26, 2026 at 20:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lisfinity Core to a version newer than 1.5.0 as soon as a vendor patch becomes available
  • After upgrading, verify that the site functions correctly and confirm the plugin is no longer vulnerable
  • If a patch is not yet released, limit exposure by restricting access to the vulnerable endpoints or by configuring a web‑application firewall to block suspicious requests

Generated by OpenCVE AI on March 26, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Pebas
Pebas lisfinity Core
Wordpress
Wordpress wordpress
Vendors & Products Pebas
Pebas lisfinity Core
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n/a through <= 1.5.0.
Title WordPress Lisfinity Core plugin <= 1.5.0 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Pebas Lisfinity Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:03.164Z

Reserved: 2026-01-07T13:44:16.751Z

Link: CVE-2026-22484

cve-icon Vulnrichment

Updated: 2026-03-26T19:12:54.548Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:30.803

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22484

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:55Z

Weaknesses