CVE-2026-0722 MEDIUM

CVE-2026-0722: Shield Security <= 21.0.8 - Cross-Site Request Forgery to SQL Injection

Vendor Paultgoodchild
Product Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Weakness CWE-89 · SQLi
Published February 19, 2026
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Shield Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 21.0.8. This is due to the plugin allowing nonce verification to be bypassed via user-supplied parameter in the 'isNonceVerifyRequired' function. This makes it possible for unauthenticated attackers to execute SQL injection attacks, extracting sensitive information from the database, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Explanation of Vulnerability in Simple Terms

02Summary

Shield contains a SQL injection vulnerability in versions up to 21.0.8. An attacker can craft a malicious link that, when clicked by a site visitor, executes arbitrary SQL queries against the site's database. This allows reading sensitive data like user credentials and configuration details. Update to a version newer than 21.0.8 to fix this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the site's database by injecting SQL commands through a crafted link.

Potential impact on your site

04Site Impact

User credentials, private posts, and database configuration may be exposed to attackers.

Conditions required to exploit

05Prerequisites

A site visitor must click an attacker-supplied link while logged in or visiting the site.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
April 8, 2026 Record updated