Opti Marketing <= 2.0.9 - Unauthenticated SQLi
Description
The Opti Marketing WordPress plugin through 2.0.9 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- WordPress/Opti Marketing WordPress plugindescription
- Range: <=2.0.9
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization and escaping of a parameter used in a SQL statement via an AJAX action."
Attack vector
An unauthenticated attacker can send a crafted AJAX request to the WordPress installation running the Opti Marketing plugin. The plugin fails to properly sanitize and escape a parameter before using it in a SQL statement, allowing the attacker to inject arbitrary SQL commands [CWE-89] [ref_id=1]. This can lead to unauthorized data extraction or modification of the database.
Affected code
The advisory does not specify the exact file or function name within the Opti Marketing plugin. The vulnerability exists in an AJAX action that is available to unauthenticated users [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 2.0.10 of the Opti Marketing plugin [ref_id=1]. The patch is not provided in the bundle, but the fix would involve properly sanitizing and escaping the user-supplied parameter before including it in a SQL statement, likely by using prepared statements or parameterized queries to prevent SQL injection [CWE-89].
Preconditions
- configThe Opti Marketing plugin (version <= 2.0.9) must be installed and active on the WordPress site
- authNo authentication is required; the AJAX action is available to unauthenticated users
- networkAttacker must be able to send HTTP requests to the WordPress site
- inputAttacker must supply a crafted parameter value containing SQL injection payload
Reproduction
The advisory at [ref_id=1] does not include explicit reproduction steps or a PoC code snippet beyond stating the vulnerability exists in an AJAX action available to unauthenticated users. No standalone PoC file is provided in the bundle.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/7bb9474f-2b9d-4856-b36d-a43da3db0245/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.