My wpdb < 2.5 - Arbitrary SQL Query via CSRF
Description
The My wpdb WordPress plugin before 2.5 is missing CSRF check when running SQL queries, which could allow attacker to make a logged in admin run arbitrary SQL query via a CSRF attack
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The My wpdb plugin before version 2.5 is missing a CSRF check, allowing an attacker to trick an admin into executing arbitrary SQL queries.
Vulnerability
The My wpdb WordPress plugin versions prior to 2.5 are vulnerable to a Cross-Site Request Forgery (CSRF) attack. The plugin fails to include a nonce or any other CSRF token when processing SQL queries submitted via the admin interface. This allows an attacker to craft a malicious request that, when triggered by a logged-in administrator, executes arbitrary SQL commands on the WordPress database. The vulnerability affects all versions before 2.5 [1].
Exploitation
An attacker needs to trick a logged-in administrator into making a request to the vulnerable endpoint, typically by embedding a crafted link or form in a third-party website, email, or other medium. No authentication is needed beyond the admin's active session; the attacker does not need any privileges on the target site. The admin must click the link or submit the form while logged into WordPress, and the plugin's AJAX or form handler will process the malicious SQL query without verifying the request's origin [1].
Impact
Successful exploitation allows the attacker to run arbitrary SQL queries on the WordPress database using the admin's privileges. This can lead to full database compromise, including extraction of sensitive user data, modification of content, insertion of malicious data, or deletion of tables. The impact is severe as it provides the attacker with the same database access level as the site administrator [1].
Mitigation
The vulnerability is fixed in My wpdb version 2.5, released on 2022-10-28 as per the WPScan advisory. Users should update to version 2.5 or later immediately. As a workaround, administrators should not interact with untrusted links while logged into the WordPress admin panel. There is no evidence that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Package: https://wordpress.org/plugins/my-wp
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF token check on the SQL query execution endpoint allows an attacker to forge requests on behalf of an authenticated administrator."
Attack vector
The My wpdb plugin before version 2.5 fails to include a CSRF check when processing SQL queries [ref_id=1]. An attacker can craft a malicious page or email that, when visited by a logged-in administrator, triggers a forged request to the WordPress admin with arbitrary SQL statements. Because the plugin does not validate the origin or include a nonce, the browser automatically sends the admin's session cookies, and the request is processed as if the admin intended it [CWE-352]. This allows the attacker to execute any SQL query on the WordPress database, including destructive operations such as dropping tables or extracting sensitive data.
Affected code
The advisory does not specify exact file paths or function names. The vulnerable code is the SQL query execution handler within the My wpdb plugin, which processes administrator-submitted SQL statements without a CSRF nonce check [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 2.5 of the My wpdb plugin [ref_id=1]. No patch diff is provided in the bundle, but the remediation involves adding a CSRF check (typically a nonce verification) to the SQL query submission handler. This ensures that only requests originating from the plugin's own admin page, carrying a valid token tied to the current user session, are accepted. Without this check, the endpoint remains open to cross-site request forgery.
Preconditions
- configThe target site must have the My wpdb plugin installed and activated with a version prior to 2.5.
- inputThe attacker must trick a logged-in WordPress administrator into visiting a crafted page or link.
- authThe administrator must have the capability to access the plugin's SQL query interface (typically admin-level privileges).
Reproduction
The advisory does not include a step-by-step proof of concept, but the public reference at [ref_id=1] confirms the vulnerability is a CSRF on the SQL query feature. An attacker could host an HTML page with a form that auto-submits a POST request to the plugin's SQL execution endpoint with a crafted query payload. When a logged-in admin visits that page, the query executes under the admin's session.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/c280da92-4ac2-43ea-93a2-6c583b79b98bmitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.