Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Fox LMS fox-lms allows Blind SQL Injection.This issue affects Fox LMS: from n/a through <= 1.0.6.3.
Published: 2026-03-13
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from improper neutralization of special elements in an SQL command within the Fox LMS WordPress plugin, a weakness classified as CWE-89. The flaw allows blind SQL injection, enabling an attacker to read, modify, or delete data in the database without authentication. The impact includes exposure of sensitive learner information, loss of data integrity, and downstream compromise of the WordPress site.

Affected Systems

All installations of the Ays Pro Fox LMS (fox-lms) WordPress plugin up to and including version 1.0.6.3 are affected. No later versions are listed as vulnerable. Administrators should verify the plugin version in use.

Risk and Exploitability

The CVSS score of 8.5 marks this as a high severity issue, while the EPSS score indicates a low exploitation likelihood at less than 1%. It is not part of the CISA KEV catalog. Exploitation would likely occur through unauthenticated HTTP requests to plugin endpoints that accept user input, requiring an attacker to orchestrate blind queries and interpret timing or error responses to extract data.

Generated by OpenCVE AI on March 19, 2026 at 16:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Fox LMS plugin to any version newer than 1.0.6.3.
  • If an update cannot be applied immediately, temporarily disable the plugin or restrict its use to trusted users.
  • Monitor WordPress logs and database activity for abnormal queries or unexpected data changes.
  • Consider implementing a web application firewall or input validation rules to block malicious SQL payloads.

Generated by OpenCVE AI on March 19, 2026 at 16:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro fox Lms
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro fox Lms
Wordpress
Wordpress wordpress

Sun, 15 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Fox LMS fox-lms allows Blind SQL Injection.This issue affects Fox LMS: from n/a through <= 1.0.6.3.
Title WordPress Fox LMS plugin <= 1.0.6.3 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Ays-pro Fox Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:51.756Z

Reserved: 2026-03-10T10:59:45.899Z

Link: CVE-2026-31922

cve-icon Vulnrichment

Updated: 2026-03-13T19:26:56.117Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:39.393

Modified: 2026-03-16T14:54:11.293

Link: CVE-2026-31922

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:25Z

Weaknesses