Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force OttoKit suretriggers allows Blind SQL Injection.This issue affects OttoKit: from n/a through <= 1.1.20.
Published: 2026-04-08
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exposure via SQL Injection
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw (CWE-89) discovered in the OttoKit “suretriggers” feature of the Brainstorm Force WordPress plugin. It occurs because the plugin fails to properly sanitize special characters that are incorporated into an SQL query. An attacker can craft a request that injects arbitrary SQL code, leading to a blind SQL injection scenario. Successful exploitation allows the attacker to read, alter, or delete data stored in the WordPress database, thereby compromising the confidentiality, integrity, and availability of site content and user information.

Affected Systems

All WordPress sites that have installed the OttoKit plugin version 1.1.20 or earlier are affected. The issue applies to all releases from the initial release (n/a) through 1.1.20 regardless of site configuration or user role.

Risk and Exploitability

The CVSS base score of 7.6 indicates a high severity. The EPSS score is below 1%, suggesting a low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the plugin’s trigger endpoint over HTTP, inferred from the plugin’s normal operation. If an attacker can reach this endpoint, they may send crafted payloads that trigger blind SQL injection, potentially enabling data exfiltration or site compromise. The combination of high severity and low exploitability still warrants immediate attention to prevent possible future exploitation.

Generated by OpenCVE AI on April 13, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OttoKit plugin to version 1.1.21 or later. If the latest version is not yet available, disable the OttoKit plugin until a patch is released, or remove the plugin entirely from the site.

Generated by OpenCVE AI on April 13, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Brainstorm Force
Brainstorm Force ottokit
Wordpress
Wordpress wordpress
Vendors & Products Brainstorm Force
Brainstorm Force ottokit
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force OttoKit suretriggers allows Blind SQL Injection.This issue affects OttoKit: from n/a through <= 1.1.20.
Title WordPress OttoKit plugin <= 1.1.20 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Brainstorm Force Ottokit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-13T16:28:46.109Z

Reserved: 2026-04-07T10:42:07.235Z

Link: CVE-2026-39479

cve-icon Vulnrichment

Updated: 2026-04-13T16:25:43.459Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:22.670

Modified: 2026-04-24T18:08:35.440

Link: CVE-2026-39479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:40:05Z

Weaknesses