WP ERP Pro SQL Injection (CVE-2026-4834) Exposes Sensitive Data
The National Vulnerability Database reports a critical SQL Injection vulnerability, CVE-2026-4834, affecting the WP ERP Pro plugin for WordPress. All versions up to and including 1.5.1 are impacted. This flaw stems from insufficient escaping of the ‘search_key’ parameter and a lack of proper preparation in existing SQL queries, creating a direct pathway for attackers.
This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially extracting sensitive information directly from the database. With a CVSS score of 7.5 (HIGH), this is not theoretical — it’s a clear and present danger to any organization running the affected plugin. The AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N vector confirms it’s network-exploitable, low complexity, requires no privileges or user interaction, and provides high confidentiality impact.
Organizations leveraging WP ERP Pro must prioritize patching. An unauthenticated SQL injection is a gift to attackers seeking initial access or data exfiltration. This isn’t about sophisticated nation-state actors; script kiddies can weaponize this. The risk of exposing customer data, internal records, or other critical business information is substantial.
What This Means For You
- If your organization uses the WP ERP Pro plugin, you need to verify your installed version immediately. Patch to a fixed version beyond 1.5.1 without delay. Prioritize this, as unauthenticated SQL injection is a prime target for opportunistic attackers looking to dump your database. Audit your WordPress logs for any suspicious activity related to the 'search_key' parameter.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
WP ERP Pro SQL Injection via search_key parameter - CVE-2026-4834
title: WP ERP Pro SQL Injection via search_key parameter - CVE-2026-4834
id: scw-2026-05-22-ai-1
status: experimental
level: critical
description: |
Detects SQL injection attempts targeting the WP ERP Pro plugin (CVE-2026-4834) by looking for specific patterns within the 'search_key' parameter in the URI query. This injection aims to extract sensitive data by appending malicious SQL queries.
author: SCW Feed Engine (AI-generated)
date: 2026-05-22
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-4834/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'search_key=*
UNION*
SELECT*'
- 'search_key=*
UNION*
SELECT null*'
- 'search_key=*
UNION*
SELECT @@version*'
- 'search_key=*
UNION*
SELECT database()*'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-4834 | SQLi | WP ERP Pro plugin for WordPress |
| CVE-2026-4834 | SQLi | Versions up to, and including, 1.5.1 |
| CVE-2026-4834 | SQLi | Vulnerable parameter: 'search_key' |
| CVE-2026-4834 | SQLi | Attack vector: unauthenticated attackers |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 22, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content
CVE-2026-9011 — The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and...
CVE-2026-8692 — The Vedrixa Forms – User Registration Form, Signup Form &
CVE-2026-8692 — The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass...
CVE-2026-8684 — The MotoPress Hotel Booking plugin for WordPress is
CVE-2026-8684 — The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due...