Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP ERP erp allows SQL Injection.This issue affects WP ERP: from n/a through <= 1.16.10.
Published: 2026-03-13
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Apply Patch
AI Analysis

Impact

This vulnerability is an SQL Injection flaw (CWE‑89) in the weDevs WP ERP plugin, allowing attackers to inject malicious SQL via unsanitized input. If exploited, an attacker could read, modify or delete data stored in the WordPress database, leading to confidentiality loss, data corruption or loss of availability of the site.

Affected Systems

WordPress installations using the WP ERP plugin version 1.16.10 or any earlier release are affected. The issue applies to all plugin instances that may process user-supplied data without proper sanitization.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, while an EPSS score of less than 1% suggests the likelihood of active exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could exploit the flaw by sending crafted input through the plugin’s exposed web forms or API endpoints, which then becomes part of an SQL statement. Successful exploitation would likely require access to a WordPress installation where the plugin is installed and possibly authenticated privileges depending on the plugin’s permission model.

Generated by OpenCVE AI on March 19, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP ERP plugin to a version newer than 1.16.10
  • Disable or block the WP ERP plugin until a patched version is available
  • Check the vendor’s website or documentation for the latest update

Generated by OpenCVE AI on March 19, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs wp Erp
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs wp Erp
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP ERP erp allows SQL Injection.This issue affects WP ERP: from n/a through <= 1.16.10.
Title WordPress WP ERP plugin <= 1.16.10 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Wedevs Wp Erp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:51.185Z

Reserved: 2026-03-10T10:59:45.899Z

Link: CVE-2026-31917

cve-icon Vulnrichment

Updated: 2026-03-13T15:19:50.882Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:38.807

Modified: 2026-03-16T14:54:11.293

Link: CVE-2026-31917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:28Z

Weaknesses