Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Blind SQL Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.4.
Published: 2026-02-19
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection (Blind)
Action: Immediate Patch
AI Analysis

Impact

Nelio AB Testing, a WordPress plugin, has a blind SQL Injection flaw due to improper neutralization of special elements in an SQL command. Attackers can send specially crafted requests to the plugin, causing the database to respond based on logical conditions. The flaw allows exploitation of the plugin’s database queries, which may lead to unauthorized access or manipulation of stored information.

Affected Systems

The vulnerability affects the Nelio AB Testing plugin for WordPress from its earliest releases through version 8.2.4. Any WordPress site running one of these versions is potentially vulnerable.

Risk and Exploitability

The flaw received a CVSS score of 7.6, indicating a high severity. The EPSS score of less than 1% suggests a low but nonzero probability of exploitation, possibly due to the need for repeated probing to infer database contents. It is not listed in CISA’s KEV catalog. The likely attack vector is a remote HTTP request to the plugin, meaning anyone with network access to the site could attempt exploitation.

Generated by OpenCVE AI on April 16, 2026 at 06:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nelio AB Testing plugin to version 8.2.5 or later, which removes the injection vector.
  • If an upgrade is not immediately possible, sanitize and validate all input parameters used in database queries within the plugin before execution.
  • Use firewall rules or router restrictions to limit access to the plugin’s endpoints to trusted IP addresses, reducing the exposure surface for blind injection attempts.

Generated by OpenCVE AI on April 16, 2026 at 06:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Neliosoftware
Neliosoftware nelio Ab Testing
Wordpress
Wordpress wordpress
Vendors & Products Neliosoftware
Neliosoftware nelio Ab Testing
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Blind SQL Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.4.
Title WordPress Nelio AB Testing plugin <= 8.2.4 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Neliosoftware Nelio Ab Testing
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:51.308Z

Reserved: 2026-02-02T12:53:01.429Z

Link: CVE-2026-25378

cve-icon Vulnrichment

Updated: 2026-02-19T20:13:06.996Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:20.257

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:45:16Z

Weaknesses