{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22484", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:16.751Z", "datePublished": "2026-03-25T16:14:22.610Z", "dateUpdated": "2026-03-25T16:14:22.610Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "lisfinity-core", "product": "Lisfinity Core", "vendor": "pebas", "versions": [{"lessThanOrEqual": "<= 1.5.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:04.528Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.<p>This issue affects Lisfinity Core: from n/a through <= 1.5.0.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n/a through <= 1.5.0."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:22.610Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/lisfinity-core/vulnerability/wordpress-lisfinity-core-plugin-1-5-0-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Lisfinity Core plugin <= 1.5.0 - SQL Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n/a through <= 1.5.0."}], "id": "CVE-2026-22484", "lastModified": "2026-03-25T17:16:30.803", "metrics": {}, "published": "2026-03-25T17:16:30.803", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/lisfinity-core/vulnerability/wordpress-lisfinity-core-plugin-1-5-0-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:27:41.892230+00:00", "value": {"mitigation_remediation": ["Upgrade Lisfinity Core to the latest available version (1.5.1 or newer).", "If an upgrade is not immediately possible, consider disabling or removing the plugin from the WordPress installation.", "Monitor web traffic and database logs for signs of SQL injection attempts and validate that no unauthorized data access has occurred."], "summary": {"action": "Immediate Patch", "impact": "Data Compromise"}, "threat_synthesis": {"affected_systems": "The bug is present in the Lisfinity Core WordPress plugin by pebas, affecting all releases from the earliest available version up through any version 1.5.0 or earlier. No earlier versions were listed as affected beyond that upper bound.", "description_and_impact": "This vulnerability is a classic SQL injection flaw caused by improper neutralization of special characters in SQL commands. It enables attackers to craft malicious input that is executed by the database engine, potentially allowing read, modify, or delete operations on sensitive data. The weakness corresponds to CWE\u201189 and can jeopardize the confidentiality and integrity of the content stored by the plugin.", "risk_and_exploitability": "Because the flaw resides in a publicly accessible plugin interface, the likely attack vector is via crafted HTTP requests sent to the Wordpress site hosting the plugin. No official patch status or exploit probability score is provided, and the vulnerability does not appear in CISA\u2019s KEV catalog. However, the inherent nature of SQL injection combined with the lack of known mitigations suggests a significant risk should an attacker identify a usable entry point."}}}}, "created": "2026-03-25T21:35:28.729430+00:00", "updated": "2026-03-25T21:35:28.729457+00:00", "vendors": []}