CVE-2026-9010
⚠️ highSummary
The Boost plugin for WordPress is vulnerable to time-based SQL Injection via the 'current_url' and 'user_name' parameters in versions up to, and including, 2.0.3 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Score
7.5
High
EPSS Score
0.1
Exploit Probability
Published Date
2026-05-20
First Seen: 2026-05-21
📊 Relative Risk Intelligence
This CVE is Moderate Risk - more severe than 69.0% of all 325,680 vulnerabilities in our database.
#100,992
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 20, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Osvaldo Noe Gonzalez Del Rio
SSVC data provided by
CISA
Last Modified
2026-05-20
Source
NVD 🔗
CVSS Vector 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE IDs (Weakness Types)