CVE-2026-9010

WordPress · Boost plugin

The Boost plugin for WordPress is susceptible to time-based SQL injection via the 'current_url' and 'user_name' parameters.

Executive summary

The Boost plugin for WordPress is vulnerable to time-based SQL injection, potentially allowing unauthorized database access and data exfiltration.

Vulnerability

This is a time-based SQL Injection vulnerability occurring within the Boost plugin. The vulnerability allows an attacker to manipulate the 'current_url' and 'user_name' parameters to execute arbitrary SQL commands against the underlying database.

Business impact

A successful exploit allows an attacker to read, modify, or delete sensitive information stored in the WordPress database, leading to potential data breaches or account takeovers. With a CVSS score of 7.5, this high-severity flaw poses a significant risk to the confidentiality and integrity of site data, which may result in severe reputational damage and regulatory non-compliance.

Remediation

Immediate Action: Audit the WordPress environment and update the Boost plugin to the latest available version provided by the vendor.

Proactive Monitoring: Monitor database query logs for unusual time-based delays or patterns indicative of SQL injection attempts targeting the specified parameters.

Compensating Controls: Deploy a Web Application Firewall (WAF) with updated rulesets to detect and block malicious SQL injection payloads targeting WordPress plugins.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the high CVSS score and the nature of SQL injection, administrators must prioritize identifying if this plugin is currently in use. If identified, immediate updates or removal of the plugin is required to mitigate the risk of unauthorized database access.