CVE-2026-4834
WP ERP · WP ERP Pro
The WP ERP Pro plugin for WordPress is susceptible to SQL Injection attacks via the 'search_key' parameter.
Executive summary
A high-severity SQL injection vulnerability in the WP ERP Pro WordPress plugin allows unauthenticated attackers to potentially access or manipulate database content.
Vulnerability
The plugin fails to properly sanitize the 'search_key' input parameter, resulting in a classic SQL injection vulnerability. This flaw allows an attacker to execute arbitrary SQL commands against the WordPress database.
Business impact
A successful SQL injection attack can lead to full database compromise, including the unauthorized extraction of user data, sensitive business information, or administrative credentials. Given the CVSS score of 7.5, the risk to confidentiality and integrity is severe.
Remediation
Immediate Action: Update the WP ERP Pro plugin to the latest available version provided by the vendor.
Proactive Monitoring: Audit database logs for unusual query syntax or unexpected spikes in database activity, which may indicate automated exploitation attempts.
Compensating Controls: Utilize a Web Application Firewall (WAF) with SQL injection protection rules to block malicious payloads targeting the 'search_key' parameter.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Immediate remediation is required to prevent potential data breaches. If a patch is not immediately available, consider disabling the plugin entirely until a secure version can be installed to mitigate the risk of database exploitation.