Description
The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries in the restore workflow. This makes it possible for authenticated attackers, with CMS Commander API key access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-03-21
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

CMS Commander plugin for WordPress can execute SQL injection via the or_blogname, or_blogdescription, and or_admin_email parameters because they are not properly escaped and the queries lack prepared statements. This flaw allows an attacker who has an API key and is authenticated to the plugin to add arbitrary SQL fragments to existing queries and retrieve sensitive information from the database. The vulnerability enables direct data exfiltration, which may lead to further compromise of the site by exposing credentials, confidential content, or other valuable data.

Affected Systems

The flaw is present in all versions of the CMS Commander plugin up to and including release 2.288. The plugin is distributed by thoefter as CMS Commander – Manage Multiple Sites for WordPress. Any WordPress site that has this plugin installed and is running a version 2.288 or older is vulnerable. The risk applies only when the attacker can obtain or abuse a valid CMS Commander API key, which grants authenticated access to the plugin's restore workflow.

Risk and Exploitability

The CVSS base score for the issue is 8.8, indicating high severity. The exploit probability score is not publicly available, but the vulnerability requires authenticated access rather than unauthenticated remote code execution. As the flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, no evidence of active exploitation in the wild is reported yet. Nevertheless, the attack path is relatively straightforward for an insider or compromised API key holder and can result in immediate disclosure of database contents.

Generated by OpenCVE AI on March 21, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CMS Commander to version 2.289 or later to eliminate the SQL injection flaw.
  • If an upgrade is not yet possible, immediately disable the CMS Commander plugin or restrict its usage until a patch is available.
  • Revoke or rotate any CMS Commander API keys that may have been exposed, and enforce strict API key management practices.
  • Perform a comprehensive backup of the WordPress database and verify its integrity before and after applying the fix.
  • After the update, review the database for any unexpected changes or compromised data and monitor the site for unusual activity.

Generated by OpenCVE AI on March 21, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Thoefter
Thoefter cms Commander – Manage Multiple Sites
Wordpress
Wordpress wordpress
Vendors & Products Thoefter
Thoefter cms Commander – Manage Multiple Sites
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries in the restore workflow. This makes it possible for authenticated attackers, with CMS Commander API key access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title CMS Commander <= 2.288 - Authenticated (Custom+) SQL Injection via 'or_blogname' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Thoefter Cms Commander – Manage Multiple Sites
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:48.054Z

Reserved: 2026-02-27T14:54:17.404Z

Link: CVE-2026-3334

cve-icon Vulnrichment

Updated: 2026-03-23T17:25:27.341Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:17:20.330

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-3334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:43Z

Weaknesses