AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-5207: The LifterLMS plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and i

mediumvulnerability

security

Source: NVD/CVE DatabaseApril 10, 2026CVE-2026-5207

Summary

The LifterLMS plugin for WordPress (a learning management system plugin) has a SQL injection vulnerability (a flaw where attackers can insert malicious database commands into normal queries) in versions up to 9.2.1 through the 'order' parameter. Authenticated attackers with Instructor-level access and above can exploit this to extract sensitive information from the database because the plugin does not properly clean user input before using it in database queries.

Vulnerability Details

CVSS Score

6.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

low

User Interaction

none

Disclosure Date

April 10, 2026

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-89

CAPEC (Attack Pattern)

CAPEC-66

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-5207

First tracked: April 11, 2026 at 02:07 AM

Classified by LLM (prompt v3) · confidence: 95%