What the vulnerability does
01Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team WZone woozone allows Blind SQL Injection.This issue affects WZone: from n/a through <= 14.0.31.
CVE-2026-27039
HIGH
CVE-2026-27039: WordPress WZone plugin <= 14.0.31 - SQL Injection vulnerability
CVSS base score
8.5/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Explanation of Vulnerability in Simple Terms
02Summary
WZone versions 14.0.31 and earlier contain a SQL injection vulnerability in a network-accessible function that requires low-level authentication. An attacker with a valid user account can inject malicious SQL commands to read sensitive data from the database. The vulnerability also allows limited disruption of site availability. Scope is changed, meaning the impact may extend beyond the vulnerable component itself.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the database and cause limited service disruption.
Potential impact on your site
04Site Impact
Unauthorized database access and potential data breach affecting user information and site stability.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with low-level privileges and network access to the application.
Key dates
06Disclosure timeline
March 25, 2026
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2024-5653 Chanjet Smooth T+system keyEdit.aspx sql injection
CVE-2026-13486 SourceCodester Class and Exam Timetabling System preview6.php sql injection
CVE-2025-67962 WordPress Broken Link Checker plugin <= 1.2.6 - SQL Injection vulnerability
CVE-2025-8925 itsourcecode Sports Management System match.php sql injection
CVE-2025-2221 WPCOM Member <= 1.7.6 - Unauthenticated Time-Based SQL Injection
