Description
Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions.
Published: 2026-07-02
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A classic SQL injection flaw exists in the nicen-localize-image WordPress plugin in versions up to 1.4.9. The vulnerability is triggered when the plugin receives unfiltered input that is incorporated into SQL statements. Attackers who inject malicious code can read, modify, or delete database contents, potentially compromising sensitive user data or allowing further exploitation of the underlying system.

Affected Systems

The nicen-localize-image plugin, which may be installed by any WordPress site that used versions 1.4.9 or earlier. The affected vendor information is identified as 友人a丶. No specific version matrix is provided beyond the stated upper bound, so all releases up to and including 1.4.9 should be treated as vulnerable.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity level. Although the EPSS score is not available, the lack of restriction on the attacker’s ability to deliver payloads suggests a realistic exploitation risk. This vulnerability has not been listed in the CISA KEV catalog, but its inherent ability to compromise database integrity warrants immediate attention. Attackers can typically exploit the flaw via the web interface or by sending crafted requests to the plugin’s input endpoints.

Generated by OpenCVE AI on July 2, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update nicen-localize-image to a version newer than 1.4.9 as soon as a patch is released.
  • Limit the database user privileges used by the plugin to the minimal set of operations required for normal operation to contain the impact if an injection succeeds.
  • Implement input validation and prepared statements throughout the plugin code, addressing the CWE‑89 weakness to prevent future injection attacks.

Generated by OpenCVE AI on July 2, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions.
Title WordPress nicen-localize-image plugin <= 1.4.9 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T12:40:12.344Z

Reserved: 2026-06-25T08:04:34.980Z

Link: CVE-2026-57756

cve-icon Vulnrichment

Updated: 2026-07-02T12:40:09.193Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:15:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')