{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22484", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:16.751Z", "datePublished": "2026-03-25T16:14:22.610Z", "dateUpdated": "2026-04-28T17:19:37.944Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "lisfinity-core", "product": "Lisfinity Core", "vendor": "pebas", "versions": [{"lessThanOrEqual": "1.5.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:56.161Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.<p>This issue affects Lisfinity Core: from n/a through <= 1.5.0.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n/a through <= 1.5.0."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:45.546Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/lisfinity-core/vulnerability/wordpress-lisfinity-core-plugin-1-5-0-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Lisfinity Core plugin <= 1.5.0 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T19:12:43.368121Z", "id": "CVE-2026-22484", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:19:37.944Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22484", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:16.751Z", "datePublished": "2026-03-25T16:14:22.610Z", "dateUpdated": "2026-04-28T17:19:37.944Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "lisfinity-core", "product": "Lisfinity Core", "vendor": "pebas", "versions": [{"lessThanOrEqual": "1.5.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:56.161Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.<p>This issue affects Lisfinity Core: from n/a through <= 1.5.0.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n/a through <= 1.5.0."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:45.546Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/lisfinity-core/vulnerability/wordpress-lisfinity-core-plugin-1-5-0-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Lisfinity Core plugin <= 1.5.0 - SQL Injection vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22484", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T19:12:43.368121Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:12:54.548Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n/a through <= 1.5.0."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') vulnerabilidad en pebas Lisfinity Core lisfinity-core permite la inyecci\u00f3n SQL. Este problema afecta a Lisfinity Core: desde n/a hasta &lt;= 1.5.0."}], "id": "CVE-2026-22484", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:30.803", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/lisfinity-core/vulnerability/wordpress-lisfinity-core-plugin-1-5-0-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Lisfinity Core", "source": "cna", "vendor": "pebas"}, "product": "lisfinity_core", "vendor": "pebas"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T20:57:23.360229+00:00", "value": {"mitigation_remediation": ["Upgrade Lisfinity Core to a version newer than 1.5.0 as soon as a vendor patch becomes available", "After upgrading, verify that the site functions correctly and confirm the plugin is no longer vulnerable", "If a patch is not yet released, limit exposure by restricting access to the vulnerable endpoints or by configuring a web\u2011application firewall to block suspicious requests"], "summary": {"action": "Patch Immediately", "impact": "Remote SQL Injection exposing database data"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Lisfinity Core plugin (distributed by pebas) installed in any version up through 1.5.0 are vulnerable. The issue is independent of the underlying operating system or web server; it exists wherever the affected plugin code is present within the WordPress installation.", "description_and_impact": "The vulnerability originates from improper escaping of user-supplied input before it is incorporated into an SQL query. This flaw allows an attacker to inject arbitrary SQL commands, potentially reading, modifying, or deleting records in the WordPress database. The weakness is classified as CWE\u201189 and represents a classic injection flaw that directly compromises data confidentiality and integrity.", "risk_and_exploitability": "With a CVSS score of 9.3 the flaw is deemed critical. Although the EPSS score is below 1\u202f%\u2014suggesting a low probability of exploitation in the wild\u2014the potential impact is high. Attackers can remotely exploit the flaw by sending crafted HTTP requests that trigger the injection point, enabling full read/write/delete access to the database. The vulnerability is not listed in the CISA KEV catalog, but its severity warrants immediate attention."}}}}, "created": "2026-03-25T21:35:28.729430+00:00", "updated": "2026-03-27T09:46:55.505785+00:00", "vendors": ["pebas", "pebas$PRODUCT$lisfinity_core", "wordpress", "wordpress$PRODUCT$wordpress"]}