Description
The myLinksDump plugin for WordPress is vulnerable to SQL Injection via the 'sort_by' and 'sort_order' parameters in all versions up to, and including, 1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-03-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to Sensitive Data Exposure
Action: Patch Immediately
AI Analysis

Impact

The myLinksDump WordPress plugin contains a classic SQL injection flaw in the 'sort_by' and 'sort_order' request parameters. Input supplied by an authenticated administrator is inserted directly into a SQL query without escaping or proper preparation, allowing an attacker to append arbitrary SQL statements. This flaw enables the retrieval of confidential database information, thereby compromising data confidentiality and potentially data integrity if destructive queries were executed.

Affected Systems

All releases of the myLinksDump plugin distributed by Silvercover up to and including version 1.6 are affected. WordPress sites that run a vulnerable version of this plugin and allow administrators to use its sort functionality are at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 7.2, indicating a medium to high severity. No EPSS data is available, and the flaw is not listed in the CISA KEV catalog. Exploitation requires that the attacker be authenticated with administrator or higher privileges, so the attack vector is inferred to be through the authenticated use of the plugin’s sorting controls.

Generated by OpenCVE AI on March 21, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the myLinksDump plugin to the latest available version, which removes the vulnerable SQL injection code.
  • If an upgrade is not immediately feasible, restrict administrator access to the sorting functionality or disable the affected parameters altogether.
  • As an interim measure, modify the plugin code to properly escape or bind the 'sort_by' and 'sort_order' inputs before inclusion in SQL statements.
  • If neither upgrading nor patching is possible, remove or deactivate the myLinksDump plugin until a secure version is released.

Generated by OpenCVE AI on March 21, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Silvercover
Silvercover mylinksdump Plugin
Wordpress
Wordpress wordpress
Vendors & Products Silvercover
Silvercover mylinksdump Plugin
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The myLinksDump plugin for WordPress is vulnerable to SQL Injection via the 'sort_by' and 'sort_order' parameters in all versions up to, and including, 1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title myLinksDump <= 1.6 - Authenticated (Administrator+) SQL Injection via 'sort_by' and 'sort_order' Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Silvercover Mylinksdump Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:43.074Z

Reserved: 2026-02-10T14:14:37.085Z

Link: CVE-2026-2279

cve-icon Vulnrichment

Updated: 2026-03-24T15:18:06.719Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:16:57.990

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-2279

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:44Z

Weaknesses