CVE-2026-27373

Vulnerability

Overview

The Tablesome plugin for WordPress (versions up to and including 1.2.3) contains a blind SQL injection vulnerability due to improper neutralization of special elements used in SQL commands. This flaw allows an attacker to inject arbitrary SQL queries through unsanitized input fields, leading to blind SQL injection [1].

Exploitation

Details

Exploitation does not require authentication, making it accessible to any remote attacker. The blind nature of the injection means that data extraction is performed through boolean-based or time-based inference, typically by sending crafted HTTP requests to the vulnerable endpoint. No special privileges or network position beyond standard web access are needed [1].

Impact

A successful attack enables the attacker to interact directly with the underlying database, potentially extracting sensitive information such as user credentials, post content, and configuration data. This can lead to full site compromise, privilege escalation, and further attacks on the server [1].

Mitigation

Patchstack has issued a mitigation rule to block attacks until a fix is applied. The vendor has released version 1.2.4, which resolves the vulnerability. Users are strongly advised to update immediately, as this vulnerability is expected to be exploited in mass campaigns targeting thousands of websites [1].