Description
The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape user input as it is concatened to SQL queries, making it possible for attackers to conduct SQL Injection attacks against the dynamic filter functionality.
Published: 2026-04-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Breach
Action: Patch
AI Analysis

Impact

The SQL Chart Builder WordPress plugin contains a flaw that permits attackers to inject arbitrary SQL statements through its dynamic filter feature. User input is concatenated into database queries without proper escaping, creating a classic case of SQL injection, a CWE‑89 weakness that can enable unauthorized retrieval, modification, or deletion of database contents. The impact is that confidential data stored by the site may be compromised, and database integrity may be undermined.

Affected Systems

All WordPress sites that have installed the Guaven SQL Chart Builder plugin at a version earlier than 2.3.8 are affected. Versions 2.3.8 and higher, or installations that do not use the plugin, are not vulnerable.

Risk and Exploitability

The CVSS v3 score is 6.5, indicating medium severity, while the EPSS score is reported as less than 1 %, implying a low current likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that an attacker can exploit the flaw by sending unauthenticated HTTP requests to the plugin’s dynamic filter endpoint, which is publicly reachable. No further exploitation prerequisites are detailed in the CVE data.

Generated by OpenCVE AI on April 9, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SQL Chart Builder plugin to version 2.3.8 or newer.
  • If an immediate update is not feasible, disable or restrict access to the plugin’s dynamic filter functionality to block unauthenticated input.
  • Keep WordPress core and all other plugins updated, and review other components for similar injection risks.
  • Monitor database logs for abnormal query activity that may indicate attempted exploitation.

Generated by OpenCVE AI on April 9, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Guaven
Guaven sql Chart Builder
Weaknesses CWE-89
CPEs cpe:2.3:a:guaven:sql_chart_builder:*:*:*:*:*:wordpress:*:*
Vendors & Products Guaven
Guaven sql Chart Builder

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sql Chart Builder
Sql Chart Builder sql Chart Builder
Wordpress
Wordpress wordpress
Vendors & Products Sql Chart Builder
Sql Chart Builder sql Chart Builder
Wordpress
Wordpress wordpress

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape user input as it is concatened to SQL queries, making it possible for attackers to conduct SQL Injection attacks against the dynamic filter functionality.
Title SQL Chart Builder < 2.3.8 - Unauthenticated SQL Injection
References

Subscriptions

Guaven Sql Chart Builder
Sql Chart Builder Sql Chart Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-07T16:26:56.057Z

Reserved: 2026-03-12T20:27:38.639Z

Link: CVE-2026-4079

cve-icon Vulnrichment

Updated: 2026-04-07T16:26:52.809Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T07:16:23.927

Modified: 2026-04-09T19:51:34.740

Link: CVE-2026-4079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:41:34Z

Weaknesses