CVE-2026-9010 - WordPress Boost Plugin Time-Based SQL Injection

CVE-2026-9010 is a time-based SQL injection vulnerability affecting the Boost plugin for WordPress, versions up to and including 2.0.3. This flaw stems from inadequate input sanitization of the ‘current_url’ and ‘user_name’ parameters, coupled with insufficient preparation of SQL queries. Unauthenticated attackers can exploit this vulnerability to inject arbitrary SQL code into existing queries. Successful exploitation allows attackers to extract sensitive information from the WordPress database, potentially compromising user credentials, site configuration details, and other confidential data. This vulnerability was reported by Wordfence on May 20, 2026.

Attack Chain

1. An unauthenticated attacker identifies a WordPress site using a vulnerable version (<= 2.0.3) of the Boost plugin.
2. The attacker crafts a malicious HTTP request targeting an endpoint that utilizes the vulnerable ‘current_url’ or ‘user_name’ parameters.
3. The crafted request includes a SQL injection payload designed for time-based injection, using functions like SLEEP() or BENCHMARK() to introduce delays.
4. The Boost plugin processes the request without properly sanitizing the ‘current_url’ or ‘user_name’ parameters.
5. The injected SQL code is appended to the existing SQL query executed by the plugin.
6. The injected code causes a time delay if the injected SQL conditions are met.
7. The attacker observes the response time of the HTTP request. An increased response time indicates successful SQL injection.
8. The attacker iteratively refines the SQL injection payload to extract sensitive information from the database, such as user credentials or configuration details.

Impact

Successful exploitation of CVE-2026-9010 allows unauthenticated attackers to extract sensitive information from the WordPress database. This can lead to full site compromise, including unauthorized access to administrative accounts, data theft, and defacement of the website. Given the widespread use of WordPress and the Boost plugin, a large number of websites could be vulnerable. The CVSS v3.1 score of 7.5 indicates a high severity vulnerability.

Recommendation

• Upgrade the Boost plugin for WordPress to a patched version higher than 2.0.3 to remediate CVE-2026-9010.
• Deploy the Sigma rule “Detect CVE-2026-9010 Exploitation Attempt via WordPress Boost Plugin” to identify potential exploitation attempts in web server logs.
• Implement input validation and sanitization measures on all user-supplied parameters in WordPress plugins to prevent SQL injection vulnerabilities.