CVE-2026-6230 in Tainacan Plugininfo

Summary

by MITRE • 07/08/2026

The Tainacan plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geoquery' parameter in all versions up to and including 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The Tainacan plugin for WordPress presents a critical time-based blind sql injection vulnerability that affects all versions up to and including 1.0.3. This flaw resides in the handling of the geoquery parameter which lacks proper input sanitization and escaping mechanisms. The vulnerability stems from inadequate preparation of sql queries within the plugin's codebase, creating an exploitable condition where malicious input can be seamlessly integrated into existing database operations.

The technical implementation of this vulnerability allows unauthenticated attackers to manipulate the geoquery parameter through crafted sql payloads that leverage time-based blind techniques. When the plugin processes user-supplied input without proper validation or escaping, it creates opportunities for attackers to inject additional sql commands that execute within the context of the existing queries. This type of injection occurs because the parameter value is directly incorporated into sql statements without appropriate parameterization or input filtering mechanisms.

The operational impact of this vulnerability extends beyond simple data extraction as it provides attackers with the capability to perform extensive reconnaissance and data exfiltration from the affected wordpress installation. Through time-based blind sql injection techniques, adversaries can infer database contents by measuring response times and executing conditional queries that cause delays in processing. This enables attackers to extract sensitive information including user credentials, administrative details, and other confidential data stored within the database.

This vulnerability aligns with common weakness enumeration cwes 89 and 749 which address sql injection flaws and improper neutralization of special elements used in sql commands respectively. The attack pattern follows typical sql injection methodologies documented in the mitre att&ck framework under technique t1213 for data exploitation and t1071 for application layer protocol usage. The lack of proper input validation and parameterized queries represents a fundamental security oversight that violates secure coding practices established by wordpress core development standards and industry best practices.

Mitigation strategies should prioritize immediate patching to versions that address the sql injection vulnerability through proper parameterization of user inputs and implementation of robust input sanitization. Administrators must ensure that all user-supplied parameters undergo strict validation before being processed in database operations. Additional protective measures include implementing web application firewalls, monitoring for suspicious query patterns, and conducting regular security assessments of wordpress plugins to identify similar vulnerabilities across the entire application stack.

Responsible

Wordfence

Reservation

04/13/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!