CVE-2026-2495
SQL Injection in WPNakama Plugin Allows Data Extraction
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpnakama | wpnakama | to 0.6.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WPNakama WordPress plugin, used for team and multi-client collaboration and project management, has a vulnerability in its REST API endpoint '/wp-json/WPNakama/v1/boards'. Specifically, the 'order' parameter in this endpoint is vulnerable to SQL Injection in all versions up to and including 0.6.5.
This vulnerability arises because the plugin does not properly escape or prepare the 'order' parameter before including it in SQL queries. As a result, an unauthenticated attacker can inject additional SQL commands into the query.
This allows the attacker to manipulate the database query to extract sensitive information from the database without authorization.
How can this vulnerability impact me? :
This SQL Injection vulnerability can have serious impacts including unauthorized access to sensitive data stored in the WordPress database used by the WPNakama plugin.
Because the vulnerability can be exploited by unauthenticated attackers, it poses a high risk of data leakage.
The CVSS score of 7.5 (High) reflects the severity, indicating that an attacker can remotely exploit this vulnerability without any privileges or user interaction.
While the vulnerability does not directly affect data integrity or availability, the confidentiality of sensitive information is compromised.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability exists in the WPNakama WordPress plugin versions up to 0.6.5 and is exploitable via the 'order' parameter of the '/wp-json/WPNakama/v1/boards' REST API endpoint. Detection can focus on monitoring or testing this endpoint for SQL injection attempts.
A practical detection method is to send crafted HTTP requests to the REST API endpoint to see if the 'order' parameter is vulnerable to SQL injection. For example, using curl to test the endpoint:
- curl -X GET "http://your-wordpress-site.com/wp-json/WPNakama/v1/boards?order=title%20ASC%27%20OR%201=1--"
- curl -X GET "http://your-wordpress-site.com/wp-json/WPNakama/v1/boards?order=board_id;DROP TABLE users--"
If the server responds with SQL errors or unexpected data, it indicates the presence of the SQL injection vulnerability. Network monitoring tools can also be configured to alert on suspicious requests targeting this endpoint with unusual 'order' parameter values.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the WPNakama plugin to a version later than 0.6.5 where the vulnerability is fixed (e.g., version 0.8.0 or later).
- If updating is not immediately possible, restrict access to the vulnerable REST API endpoint '/wp-json/WPNakama/v1/boards' by implementing firewall rules or web application firewall (WAF) rules to block or limit requests to this endpoint.
- Monitor logs for suspicious activity targeting the 'order' parameter and block offending IP addresses.
- Apply general WordPress security best practices, such as limiting plugin usage, enforcing strong authentication, and regularly backing up the database.