CVE-2026-4079
SQL Injection in SQL Chart Builder Plugin Dynamic Filters
Publication date: 2026-04-07
Last updated on: 2026-04-09
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| guaven | sql_chart_builder | to 2.3.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4079 is an SQL Injection vulnerability in the WordPress plugin SQL Chart Builder versions before 2.3.8. The plugin does not properly escape user input when it is concatenated into SQL queries, specifically in the dynamic filter functionality used for charts.
This flaw allows attackers to inject malicious SQL code through dynamic filter parameters on publicly accessible pages. For example, an attacker can append a crafted SQL injection payload to a URL parameter like 'status_tag' to extract sensitive data from the WordPress database.
The injected SQL query can return administrator credentials such as usernames and hashed passwords, which are then exposed in the chart data rendered on the frontend, visible in the page source.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized disclosure of sensitive information. An attacker can extract administrator usernames and hashed passwords from the WordPress database without authentication.
With these credentials, attackers may gain administrative access to the WordPress site, potentially leading to full site compromise, data theft, defacement, or further exploitation.
Additionally, the exposure of sensitive data in publicly accessible pages can damage the site's reputation and trustworthiness.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the SQL Chart Builder WordPress plugin version is prior to 2.3.8 and if dynamic filter parameters are vulnerable to SQL Injection.
One practical detection method is to test the dynamic filter parameter (e.g., status_tag) on a publicly accessible chart page by appending a crafted SQL injection payload to the URL.
For example, sending an HTTP GET request like: /vulnerable-chart-page/?status_tag=1+OR+1=1+UNION+SELECT+user_login,user_pass+FROM+wp_users+--+()
If the page source contains exposed data such as WordPress usernames and hashed passwords embedded in JavaScript chart data arrays (e.g., labels:), this confirms the vulnerability.
Commands to detect this might include using curl or wget to fetch the vulnerable URL and then searching the response for sensitive data.
- curl -s 'http://target-site/vulnerable-chart-page/?status_tag=1+OR+1=1+UNION+SELECT+user_login,user_pass+FROM+wp_users+--+()' | grep -i 'labels:'
- wget -qO- 'http://target-site/vulnerable-chart-page/?status_tag=1+OR+1=1+UNION+SELECT+user_login,user_pass+FROM+wp_users+--+()' | grep -i 'labels:'
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to update the SQL Chart Builder WordPress plugin to version 2.3.8 or later, where this SQL Injection vulnerability has been fixed.
If updating is not immediately possible, restrict public access to pages using dynamic filters or disable the dynamic filter functionality to prevent exploitation.
Additionally, monitor web server logs for suspicious requests containing SQL injection payloads targeting dynamic filter parameters.
Implementing a Web Application Firewall (WAF) with SQL injection detection rules can also help block malicious attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to perform SQL Injection attacks that can expose sensitive data such as WordPress user credentials, including usernames and hashed passwords. This exposure of sensitive personal data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access or disclosure.
Specifically, the extraction and public exposure of user credentials through the vulnerable plugin can result in breaches of confidentiality and data integrity, potentially triggering regulatory penalties and legal consequences under these standards.