Description
Contributor SQL Injection in iNET Webkit 1.2.4 versions.
Published: 2026-07-02
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an unsanitized contributor input that allows attackers to inject arbitrary SQL statements into the plugin’s database queries. This injection can be used to read, modify, or delete content in the WordPress database, potentially exposing sensitive information or corrupting site data. It is classified as CWE‑89, typical of input‑validation bypasses that let attackers run unintended SQL commands.

Affected Systems

The affected product is the iNET Webkit plugin for WordPress, version 1.2.4. Site administrators should verify if their WordPress installation employs this plugin and take remedial action if so.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity vulnerability. The flaw is not listed in the CISA KEV catalog. Because the input that triggers the injection is a contributor parameter, the most likely attack vector is remote exploitation via crafted HTTP requests to the plugin’s contributor endpoint. Successful exploitation could lead to extensive data exposure or site compromise.

Generated by OpenCVE AI on July 3, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iNET Webkit plugin to the latest version, which removes the unsanitized input handling.
  • Disable or delete the contributor role or any interface that accepts public contributor input if it is not required for the site’s operation.
  • Conduct a security review of custom code or additional plugins that interact with iNET Webkit to ensure proper input sanitization and to detect any attempts to exploit the flaw.

Generated by OpenCVE AI on July 3, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Contributor SQL Injection in iNET Webkit 1.2.4 versions.
Title WordPress iNET Webkit plugin 1.2.4 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T19:40:26.895Z

Reserved: 2026-06-25T08:04:34.979Z

Link: CVE-2026-57752

cve-icon Vulnrichment

Updated: 2026-07-02T19:40:21.335Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T13:30:13Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')