Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
WordPress CMS Commander Plugin Exposes Sensitive Data
CVE-2026-3334
Summary
The CMS Commander plugin for WordPress has a security flaw that allows an attacker with a special key to access sensitive information from your database. This could happen if you're running a version of the plugin that's not updated. To fix this, update the plugin to the latest version.
Original title
The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This ...
Original description
The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries in the restore workflow. This makes it possible for authenticated attackers, with CMS Commander API key access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
nvd CVSS3.1
8.8
Vulnerability type
CWE-89
SQL Injection
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026