– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-2279 (metadata-based):
The myLinksDump WordPress plugin contains an authenticated SQL injection vulnerability in all versions up to and including 1.6. This vulnerability allows attackers with administrator-level privileges to inject malicious SQL queries through the ‘sort_by’ and ‘sort_order’ parameters. The CVSS 7.2 score reflects the high impact on confidentiality, integrity, and availability, though exploitation requires administrative access.

Atomic Edge research identifies the root cause as improper neutralization of user-supplied input before inclusion in SQL commands (CWE-89). The vulnerability description confirms insufficient escaping and lack of prepared statements. Without source code, we infer the plugin likely constructs SQL queries by directly concatenating user-controlled ‘sort_by’ and ‘sort_order’ parameters into ORDER BY clauses or similar query fragments. This inference aligns with common WordPress plugin patterns where sorting parameters receive less security scrutiny than WHERE clause values.

Exploitation requires sending authenticated requests to a WordPress administrative endpoint, likely an AJAX handler or admin page specific to the myLinksDump plugin. Attackers would craft malicious payloads in the ‘sort_by’ or ‘sort_order’ parameters to perform UNION-based or time-based blind SQL injection. Example payloads might include ‘CASE WHEN (SELECT 1 FROM wp_users WHERE ID=1)=1 THEN id ELSE title END’ for conditional logic or ‘id; SELECT SLEEP(5)–‘ for time-based extraction.

Remediation requires implementing proper input validation and parameterized queries. The plugin should validate ‘sort_by’ and ‘sort_order’ against a whitelist of allowed column names and sort directions (ASC/DESC). Alternatively, the plugin should use WordPress $wpdb->prepare() method with placeholders for all user-supplied SQL fragments. Since no patched version exists, site administrators must remove the plugin or implement virtual patching.

Successful exploitation enables complete database compromise. Attackers can extract sensitive information including WordPress user credentials (hashed passwords), authentication cookies, plugin-specific data, and potentially other database contents. The administrative requirement limits immediate risk, but compromised administrator accounts or insider threats could leverage this for persistent backdoor installation or lateral movement within the database.