Boost WordPress Plugin: Unauthenticated SQLi Exposes Data via current_url, user_name

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
Boost WordPress Plugin: Unauthenticated SQLi Exposes Data via current_url, user_name

The Boost plugin for WordPress, in versions up to and including 2.0.3, is vulnerable to time-based SQL Injection. The National Vulnerability Database, citing CVE-2026-9010, details that insufficient escaping of user-supplied parameters like ‘current_url’ and ‘user_name’, coupled with inadequate preparation of existing SQL queries, creates this critical flaw. This isn’t theoretical – it’s a direct path for unauthenticated attackers to manipulate existing database queries.

This vulnerability, rated 7.5 HIGH on the CVSS scale, allows attackers to append arbitrary SQL queries. The immediate consequence is the potential for extracting sensitive information directly from the underlying database. The ‘unauthenticated’ aspect is key here: it means attackers don’t need any prior access or credentials to exploit this, significantly lowering the bar for compromise. This isn’t some complex zero-day requiring deep network access; it’s a web-facing flaw that any script kiddie can leverage.

For defenders, this is a clear and present danger to any WordPress site running the affected Boost plugin. The attacker’s calculus is simple: find a vulnerable site, craft a malicious URL, and start dumping data. The lack of specification on affected products by the National Vulnerability Database means anyone using this plugin must assume they are exposed.

What This Means For You

  • If your organization uses the Boost plugin for WordPress, you are exposed to unauthenticated SQL injection. This isn't a future threat; it's exploitable now. Identify all instances of the Boost plugin, verify their versions, and prioritize patching or disabling if updates aren't immediately available. Audit your WordPress database access logs for any anomalous queries or data exfiltration attempts.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1595.002 Scanning for Vulnerabilities Reconnaissance

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-9010 - Boost WordPress Plugin Unauthenticated SQL Injection

Sigma YAML — free preview 
title: CVE-2026-9010 - Boost WordPress Plugin Unauthenticated SQL Injection
id: scw-2026-05-20-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit the 'current_url' and 'user_name' parameters in the Boost WordPress plugin (versions up to 2.0.3) for SQL injection. This rule specifically looks for the plugin's directory in the URI and the vulnerable parameters in the query string, indicating a potential exploitation attempt for CVE-2026-9010.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-9010/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-content/plugins/boost/'
      cs-uri-query|contains:
          - 'current_url='
          - 'user_name='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-9010 SQLi Boost plugin for WordPress versions <= 2.0.3
CVE-2026-9010 SQLi Vulnerable parameters: 'current_url', 'user_name'
CVE-2026-9010 SQLi Attack vector: time-based SQL Injection

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 20, 2026 at 07:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma