SiteGround Security < 1.3.1 - Admin+ SQLi
Description
The SiteGround Security WordPress plugin before 1.3.1 fails to sanitize user input in an SQL query, allowing authenticated SQL injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The SiteGround Security WordPress plugin before 1.3.1 fails to sanitize user input in an SQL query, allowing authenticated SQL injection.
Vulnerability
The SiteGround Security WordPress plugin (sg-security) versions before 1.3.1 contain an authenticated SQL injection vulnerability. The plugin does not properly sanitize user input before using it in an SQL query, leading to a SQL injection condition that requires an authenticated user role [1][2].
Exploitation
An attacker with administrative-level access to the WordPress site (or possibly lower roles depending on the vulnerable functionality) can supply crafted input that is not sanitized before being included in an SQL query. The specific parameter and endpoint are not disclosed in the available references, but the authenticated nature of the attack means the attacker must have a valid WordPress user account with sufficient privileges [1][2].
Impact
Successful exploitation allows the attacker to inject arbitrary SQL commands, potentially leading to unauthorized reading or modification of database contents. This could result in information disclosure, privilege escalation, or other database manipulation [1][2]. The CVSS score is 6.8 (medium) [2].
Mitigation
The fixed version 1.3.1 of the SiteGround Security WordPress plugin was released to address this issue. Users should update to version 1.3.1 or later [2]. No workarounds are documented in the available references.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/SiteGround Securitydescription
- Range: <1.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization allows an authenticated attacker to inject arbitrary SQL via a plugin parameter."
Attack vector
An attacker with administrative-level access to the WordPress admin panel can supply crafted input to a plugin parameter that is not sanitized before being used in an SQL query [ref_id=1]. The lack of proper sanitization [CWE-89] means the attacker's input is concatenated directly into the SQL statement, enabling them to manipulate the query. This allows the attacker to extract, modify, or delete arbitrary data from the WordPress database.
Affected code
The advisory does not specify the exact file or function name within the SiteGround Security plugin that is vulnerable [ref_id=1]. The vulnerability exists in a plugin parameter that is used in an SQL query without proper sanitization.
What the fix does
The advisory states the issue is fixed in version 1.3.1 of the SiteGround Security plugin [ref_id=1]. The fix involves properly sanitizing user input before it is used in an SQL query, which prevents the injection of malicious SQL fragments. No patch diff is available in the provided bundle, so the exact code change cannot be described.
Preconditions
- authThe attacker must be authenticated as an administrator-level user in WordPress.
- inputThe attacker must be able to supply crafted input to the vulnerable plugin parameter.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- wpscan.com/vulnerability/acf3e369-1290-4b3f-83bf-2209b9dd06e1mitreexploitvdb-entrytechnical-description
- github.com/namah-age/CVEs/blob/master/1.mdmitre
- www.siteground.com/viewtos/responsible_disclosure_policymitre
News mentions
0No linked articles in our index yet.