Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection.This issue affects Nelio Content: from n/a through <= 4.2.0.
Published: 2026-01-23
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection exposing or modifying database data
Action: Immediate Patch
AI Analysis

Impact

An attacker can exploit a blind SQL injection flaw in the Nelio Content WordPress plugin (versions 4.2.0 and earlier) by submitting crafted input that bypasses sanitization. Based on the description, it is inferred that the flaw permits unauthorized reading or alteration of data stored in the WordPress database, potentially leading to confidentiality and integrity violations.

Affected Systems

WordPress sites running the Nelio Content plugin from Nelio Software, any versions up through 4.2.0. The vulnerability is specific to the plugin’s database handling routines.

Risk and Exploitability

The flaw receives a CVSS score of 8.5, indicating high severity, but its EPSS score is less than 1%, suggesting a low probability that it will be actively exploited. The vulnerability is not listed in the CISA KEV catalog, so no evidence of known active exploitation exists. Based on the description, it is inferred that attackers would need web access to the plugin’s input channels; the injection is blind, requiring only the presence or absence of query results to infer data.

Generated by OpenCVE AI on April 28, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nelio Content to a version that fixes the SQL injection flaw.
  • If an immediate update is unavailable, disable any plugin functionalities that accept unsanitized user input.
  • Restrict database permissions for the WordPress user so that it has only the minimum privileges required for normal operation.

Generated by OpenCVE AI on April 28, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection.This issue affects Nelio Content: from n/a through <= 4.1.0. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection.This issue affects Nelio Content: from n/a through <= 4.2.0.
Title WordPress Nelio Content plugin <= 4.1.0 - SQL Injection vulnerability WordPress Nelio Content plugin <= 4.2.0 - SQL Injection vulnerability

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection.This issue affects Nelio Content: from n/a through <= 4.1.0.
Title WordPress Nelio Content plugin <= 4.1.0 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:49.763Z

Reserved: 2026-01-23T12:32:02.838Z

Link: CVE-2026-24572

cve-icon Vulnrichment

Updated: 2026-01-23T21:04:49.966Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:15.210

Modified: 2026-04-28T15:16:15.817

Link: CVE-2026-24572

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:00:14Z

Weaknesses