Description
Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GeekyBot WordPress plugin, versions 1.2.0 and earlier, contains an unauthenticated SQL Injection flaw. The vulnerability allows an attacker to embed arbitrary SQL code into database queries sent to the plugin’s endpoints, potentially resulting in data exfiltration, modification, or deletion, and possibly a denial of service if the database is corrupted. The weakness is documented as CWE‑89, which describes improper input validation and inadequate query parameterization.

Affected Systems

Any WordPress site that has the GeekyBot plugin installed with a version at or below 1.2.0, distributed by Ahmad:GeekyBot. Such sites are exposed regardless of the user role and do not require any privileged access to exploit the flaw.

Risk and Exploitability

The CVSS score of 9.3 marks this flaw as critical, but its EPSS score of less than 1% indicates a very low current likelihood of exploitation, and it is not listed in CISA’s KEV catalog. The vulnerability is exploitable via a crafted HTTP request to the plugin’s endpoint, requiring no authentication. The publicly accessible nature of the endpoint means that any visitor could potentially trigger the exploit, which presents a high‑risk attack vector for publicly hosted WordPress installations.

Generated by OpenCVE AI on June 16, 2026 at 23:26 UTC.

Remediation

Vendor Solution

Update the WordPress GeekyBot Plugin to the latest available version (at least 1.2.1).

OpenCVE Recommended Actions

  • Update the GeekyBot plugin to version 1.2.1 or newer
  • Disable or uninstall the GeekyBot plugin if an update cannot be applied immediately
  • Monitor database logs for unexpected query activity and review logs for signs of exploitation

Generated by OpenCVE AI on June 16, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions.
Title WordPress GeekyBot plugin <= 1.2.0 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:36:27.496Z

Reserved: 2026-04-07T10:48:03.414Z

Link: CVE-2026-39519

cve-icon Vulnrichment

Updated: 2026-06-16T12:36:23.460Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:46.460

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39519

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T23:30:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')