Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tainacan Tainacan tainacan allows Blind SQL Injection.This issue affects Tainacan: from n/a through <= 1.0.3.
Published: 2026-05-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements in the Tainacan WordPress plugin results in a blind SQL injection vulnerability (CWE‑89). An attacker can inject SQL code that allows reading sensitive data, such as database credentials, user records, or stored content, without needing to trigger error messages. This can lead to a significant compromise of data confidentiality.

Affected Systems

The vulnerability applies to the WordPress Tainacan plugin, vendor tainacan:Tainacan, affecting all installations of version 1.0.3 or earlier.

Risk and Exploitability

The CVSS score of 9.3 classifies this flaw as critical. Although EPSS data is not available, the lack of a KEV listing does not reduce the potential impact. Attackers can exploit the flaw via web requests to the plugin’s exposed endpoints, performing blind injection techniques (e.g., timing attacks) against a vulnerable WordPress site where Tainacan is installed. Given the severity and the possibility of arbitrary data access, the risk to affected systems is high.

Generated by OpenCVE AI on May 27, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tainacan plugin to a version newer than 1.0.3 that addresses the SQL injection issue.
  • If an immediate upgrade is not possible, disable or restrict the plugin to trusted environments until a fix is applied.
  • Configure a Web Application Firewall to detect and block common SQL injection payloads against the plugin’s URLs.
  • Review database user privileges for the WordPress database and ensure the user has only the necessary permissions to reduce damage from a successful injection.

Generated by OpenCVE AI on May 27, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Tainacan
Tainacan tainacan
Wordpress
Wordpress wordpress
Vendors & Products Tainacan
Tainacan tainacan
Wordpress
Wordpress wordpress

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tainacan Tainacan tainacan allows Blind SQL Injection.This issue affects Tainacan: from n/a through <= 1.0.3.
Title WordPress Tainacan plugin <= 1.0.3 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Tainacan Tainacan
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:51:28.571Z

Reserved: 2026-04-29T09:05:30.886Z

Link: CVE-2026-42740

cve-icon Vulnrichment

Updated: 2026-05-27T10:51:23.414Z

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:20.700

Modified: 2026-05-27T11:16:20.700

Link: CVE-2026-42740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:15:05Z

Weaknesses