{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/boost-plugin-for-wordpress--2.0.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-9010"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Boost plugin for WordPress \u003c= 2.0.3"],"_cs_severities":["high"],"_cs_tags":["cve","sqli","wordpress"],"_cs_type":"advisory","_cs_vendors":["Wordfence"],"content_html":"\u003cp\u003eCVE-2026-9010 is a time-based SQL injection vulnerability affecting the Boost plugin for WordPress, versions up to and including 2.0.3. This flaw stems from inadequate input sanitization of the \u0026lsquo;current_url\u0026rsquo; and \u0026lsquo;user_name\u0026rsquo; parameters, coupled with insufficient preparation of SQL queries. Unauthenticated attackers can exploit this vulnerability to inject arbitrary SQL code into existing queries. Successful exploitation allows attackers to extract sensitive information from the WordPress database, potentially compromising user credentials, site configuration details, and other confidential data. This vulnerability was reported by Wordfence on May 20, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version (\u0026lt;= 2.0.3) of the Boost plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the vulnerable \u0026lsquo;current_url\u0026rsquo; or \u0026lsquo;user_name\u0026rsquo; parameters.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a SQL injection payload designed for time-based injection, using functions like \u003ccode\u003eSLEEP()\u003c/code\u003e or \u003ccode\u003eBENCHMARK()\u003c/code\u003e to introduce delays.\u003c/li\u003e\n\u003cli\u003eThe Boost plugin processes the request without properly sanitizing the \u0026lsquo;current_url\u0026rsquo; or \u0026lsquo;user_name\u0026rsquo; parameters.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is appended to the existing SQL query executed by the plugin.\u003c/li\u003e\n\u003cli\u003eThe injected code causes a time delay if the injected SQL conditions are met.\u003c/li\u003e\n\u003cli\u003eThe attacker observes the response time of the HTTP request. An increased response time indicates successful SQL injection.\u003c/li\u003e\n\u003cli\u003eThe attacker iteratively refines the SQL injection payload to extract sensitive information from the database, such as user credentials or configuration details.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9010 allows unauthenticated attackers to extract sensitive information from the WordPress database. This can lead to full site compromise, including unauthorized access to administrative accounts, data theft, and defacement of the website. Given the widespread use of WordPress and the Boost plugin, a large number of websites could be vulnerable. The CVSS v3.1 score of 7.5 indicates a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Boost plugin for WordPress to a patched version higher than 2.0.3 to remediate CVE-2026-9010.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-9010 Exploitation Attempt via WordPress Boost Plugin\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures on all user-supplied parameters in WordPress plugins to prevent SQL injection vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T04:17:37Z","date_published":"2026-05-20T04:17:37Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9010-wordpress-boost-sqli/","summary":"The Boost plugin for WordPress is vulnerable to time-based SQL Injection (CVE-2026-9010) via the 'current_url' and 'user_name' parameters in versions up to 2.0.3, allowing unauthenticated attackers to extract sensitive information from the database due to insufficient input sanitization.","title":"CVE-2026-9010 - WordPress Boost Plugin Time-Based SQL Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9010-wordpress-boost-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Boost Plugin for WordPress \u003c= 2.0.3","version":"https://jsonfeed.org/version/1.1"}