{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24624", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:28.686Z", "datePublished": "2026-01-23T14:29:07.293Z", "dateUpdated": "2026-04-28T16:14:50.671Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "neoforum", "product": "Neoforum", "vendor": "saeros1984", "versions": [{"lessThanOrEqual": "1.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Mrreee | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:49.019Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in saeros1984 Neoforum neoforum allows Blind SQL Injection.<p>This issue affects Neoforum: from n/a through <= 1.0.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in saeros1984 Neoforum neoforum allows Blind SQL Injection.This issue affects Neoforum: from n/a through <= 1.0."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.671Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Neoforum plugin <= 1.0 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:46:31.370294Z", "id": "CVE-2026-24624", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:46:35.917Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24624", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T14:46:31.370294Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T15:44:32.847Z"}}], "cna": {"title": "WordPress Neoforum plugin <= 1.0 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Mrreee | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "saeros1984", "product": "Neoforum", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0"}], "packageName": "neoforum", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:49.019Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in saeros1984 Neoforum neoforum allows Blind SQL Injection.This issue affects Neoforum: from n/a through <= 1.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in saeros1984 Neoforum neoforum allows Blind SQL Injection.<p>This issue affects Neoforum: from n/a through <= 1.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.671Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24624", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:50.671Z", "dateReserved": "2026-01-23T12:32:28.686Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:29:07.293Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in saeros1984 Neoforum neoforum allows Blind SQL Injection.This issue affects Neoforum: from n/a through <= 1.0."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') en saeros1984 Neoforum neoforum permite Inyecci\u00f3n SQL Ciega. Este problema afecta a Neoforum: desde n/d hasta &lt;= 1.0."}], "id": "CVE-2026-24624", "lastModified": "2026-04-28T15:16:20.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:21.613", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T17:48:42.725886+00:00", "value": {"mitigation_remediation": ["Upgrade the Neoforum plugin to a version newer than 1.0 or remove it entirely.", "If an upgrade is not immediately possible, restrict public access to the forum pages so that only authenticated, trusted users can submit input to the vulnerable endpoints.", "Deploy a web application firewall rule that blocks or sanitizes SQL payload patterns targeting the Neoforum plugin\u2019s request parameters."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Data Access via SQL Injection"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that incorporates the Neoforum plugin version 1.0 or earlier, distributed by saeros1984. The vulnerability exists in all releases up to and including 1.0, with no earlier version information available.", "description_and_impact": "An attacker can exploit a blind SQL Injection flaw in the Neoforum WordPress plugin caused by improper neutralization of special characters in database queries. This allows the injection of arbitrary SQL statements through crafted input, potentially revealing, modifying, or deleting sensitive data stored in the WordPress database. The impact is a breach of confidentiality, integrity, and possibly availability of the site\u2019s content and user information.", "risk_and_exploitability": "The flaw is rated with a CVSS score of 7.6, indicating high severity. The EPSS score of less than 1% suggests that, as of current data, exploit attempts are rare, and the vulnerability is not currently part of the CISA KEV catalog. The likely attack vector is via web requests directed at the plugin\u2019s input points; authentication is not explicitly required, but the details are not fully disclosed in the description. An attacker can leverage the blind nature of the injection to infer database structure and extract information without immediate error messages."}}}}, "created": "2026-01-26T11:53:45.388664+00:00", "updated": "2026-04-28T18:00:14.068832+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}