CVE-2026-3334 in CMS Commander Plugin
Summary
by MITRE • 03/21/2026
The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries in the restore workflow. This makes it possible for authenticated attackers, with CMS Commander API key access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The CVE-2026-3334 vulnerability represents a critical SQL injection flaw within the CMS Commander plugin for WordPress, affecting all versions up to and including 2.288. This vulnerability specifically targets the restore workflow functionality where the plugin processes user-supplied parameters without adequate input sanitization. The affected parameters include 'or_blogname', 'or_blogdescription', and 'or_admin_email' which are processed during database restoration operations. The flaw stems from inadequate escaping mechanisms and insufficient query preparation techniques that fail to properly sanitize user input before incorporation into SQL statements.
The technical exploitation of this vulnerability occurs within the context of authenticated attacks where an attacker must possess a valid CMS Commander API key to leverage the vulnerability. This authentication requirement significantly reduces the attack surface but does not eliminate the risk entirely, as API keys may be compromised through various means including credential leakage, insecure storage, or social engineering attacks. The vulnerability operates at the database layer where the plugin constructs SQL queries using direct concatenation of user-supplied values without proper parameterization or escaping, creating an environment where malicious input can alter the intended query structure.
The operational impact of this vulnerability extends beyond simple data exfiltration to potentially enable complete database compromise. An authenticated attacker with API key access can inject malicious SQL payloads that append additional queries to existing database operations, allowing for unauthorized data retrieval including user credentials, configuration settings, and other sensitive information stored within the WordPress database. This capability aligns with CWE-89 which categorizes SQL injection vulnerabilities as a critical threat to data integrity and confidentiality. The vulnerability particularly affects WordPress environments where CMS Commander is installed, potentially compromising thousands of sites if the plugin is widely deployed.
Security mitigations for this vulnerability require immediate patching to the CMS Commander plugin to version 2.289 or later where proper input sanitization and query preparation mechanisms have been implemented. Organizations should also implement strict access controls for API keys and regularly audit plugin installations to ensure only necessary functionality is enabled. Network monitoring solutions should be configured to detect unusual database query patterns that might indicate exploitation attempts. Additionally, implementing proper input validation and parameterized queries as recommended by the OWASP Top Ten and MITRE ATT&CK framework for database security can prevent similar vulnerabilities in other applications. The remediation process should include comprehensive testing to ensure that the patch does not introduce regressions in legitimate functionality while maintaining the security improvements necessary to protect against SQL injection attacks.