Impact
The vulnerability is an improper neutralization of special elements in an SQL command (CWE-89), which enables blind SQL injection in the Brainstorm Force SureDash WordPress plugin. An attacker can supply crafted input that alters SQL queries executed by the plugin, potentially allowing the attacker to infer data from the database, such as user credentials, configuration settings, or other sensitive information. Because the injection is blind, the attacker relies on response timing or error-based clues, but still can gain substantial knowledge without receiving direct query results.
Affected Systems
Affected systems include the Brainstorm Force SureDash plugin for WordPress, with all releases up to and including version 1.8.0. The exact initial release is not specified. No other vendors or products are listed.
Risk and Exploitability
The CVSS score of 8.5 indicates a high severity. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog, meaning no known widespread exploitation yet, but the high score suggests significant risk. The attack vector is likely through HTTP requests to the plugin's exposed endpoints, requiring access to a WordPress site that has the plugin installed. No authentication requirement is stated, so the exploit may be possible from unauthenticated guests or staff users.
OpenCVE Enrichment