What the vulnerability does
01Description
The Shield Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 21.0.8. This is due to the plugin allowing nonce verification to be bypassed via user-supplied parameter in the 'isNonceVerifyRequired' function. This makes it possible for unauthenticated attackers to execute SQL injection attacks, extracting sensitive information from the database, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
Shield contains a SQL injection vulnerability in versions up to 21.0.8. An attacker can craft a malicious link that, when clicked by a site visitor, executes arbitrary SQL queries against the site's database. This allows reading sensitive data like user credentials and configuration details. Update to a version newer than 21.0.8 to fix this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the site's database by injecting SQL commands through a crafted link.
Potential impact on your site
04Site Impact
User credentials, private posts, and database configuration may be exposed to attackers.
Conditions required to exploit
05Prerequisites
A site visitor must click an attacker-supplied link while logged in or visiting the site.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
April 8, 2026
Record updated