CVE-2026-4834

Vulnerability

The WP ERP Pro plugin for WordPress versions up to and including 1.5.1 contains a SQL injection vulnerability in the search_key parameter. This arises from insufficient escaping on the user-supplied parameter and lack of proper preparation on the existing SQL query. The vulnerable code path is reachable without authentication, making the flaw exploitable by any remote attacker.

Exploitation

An unauthenticated attacker can send a crafted HTTP request containing malicious SQL in the search_key parameter. The request is processed by the plugin without adequate sanitization, allowing the attacker to append arbitrary SQL queries to the existing database query. No special privileges or user interaction is required. The attacker only needs network access to the WordPress installation [1].

Impact

Successful exploitation allows the attacker to extract sensitive information from the WordPress database. This can include user credentials, session tokens, and other private data. The confidentiality of the system is compromised, potentially leading to further privilege escalation or data breaches [1].

Mitigation

A fixed version has not been disclosed in the available references. Users are advised to update the WP ERP Pro plugin to the latest version as soon as a patch is released by the vendor. As of now, no workaround is provided. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.