Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team WZone woozone allows Blind SQL Injection.This issue affects WZone: from n/a through <= 14.0.31.
Published: 2026-03-25
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to unauthorized data exposure or modification
Action: Immediate Patch
AI Analysis

Impact

A flaw in the WordPress WZone plugin permits attackers to inject arbitrary SQL commands by bypassing the neutralization of special elements used in SQL queries. This results in blind SQL injection, allowing the attacker to read, modify, or delete sensitive database records, thereby compromising user data and site integrity. The issue is a classic instance of CWE-89.

Affected Systems

The vulnerability targets the AA‑Team WZone plugin for WordPress, affecting every installation from the earliest version up to and including 14.0.31. Any WordPress site that has this plugin installed and is using a vulnerable version is susceptible; no other product or platform specifics are mentioned.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.5, classifying it as high severity. An EPSS score of less than 1% indicates a low likelihood of current exploitation in the wild, and the flaw is not listed in CISA’s KEV catalog, meaning no confirmed public exploits are known. The likely attack vector is any input that the plugin incorporates into SQL statements without proper sanitization; specific entry points are not detailed, so the inference is based on the nature of the flaw.

Generated by OpenCVE AI on March 26, 2026 at 21:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WZone plugin to version 14.0.32 or later

Generated by OpenCVE AI on March 26, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Aa-team
Aa-team wzone
Wordpress
Wordpress wordpress
Vendors & Products Aa-team
Aa-team wzone
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team WZone woozone allows Blind SQL Injection.This issue affects WZone: from n/a through <= 14.0.31.
Title WordPress WZone plugin <= 14.0.31 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Aa-team Wzone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T19:09:58.590Z

Reserved: 2026-02-17T13:23:18.875Z

Link: CVE-2026-27039

cve-icon Vulnrichment

Updated: 2026-03-26T19:09:55.873Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:53.310

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-27039

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:34Z

Weaknesses