Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15445

CVE-2026-15445: SEO Booster Plugin SQL Injection Flaw

CVE-2026-15445 is a time-based SQL injection flaw in SEO Booster plugin for WordPress that allows authenticated administrators to extract sensitive database information. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-15445 Overview

CVE-2026-15445 is a time-based SQL Injection vulnerability in the SEO Booster plugin for WordPress. The flaw affects all versions up to and including 7.3.1. It resides in the handling of the orderby parameter, which is placed into an ORDER BY clause without sufficient escaping or query preparation. Authenticated attackers with administrator-level access can append SQL queries to existing statements and extract sensitive data from the WordPress database. The issue is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

Critical Impact

Authenticated administrators can leverage the orderby parameter to execute time-based SQL injection and exfiltrate arbitrary data from the WordPress database.

Affected Products

  • WordPress SEO Booster plugin versions up to and including 7.3.1
  • WordPress installations with SEO Booster active and administrator accounts provisioned
  • Multi-site WordPress environments where the plugin is network-enabled

Discovery Timeline

  • 2026-07-16 - CVE-2026-15445 published to NVD
  • 2026-07-16 - Last updated in NVD database

Technical Details for CVE-2026-15445

Vulnerability Analysis

The vulnerability originates in the SEO Booster plugin's Google Search Console (GSC) list table component, specifically in SB_GSC_List_Table.php around lines 559 and 579, and in seo-booster-gsc.php at line 27. The plugin passes the user-controlled orderby request parameter into a raw SQL query used to render the GSC data table.

The developer applied esc_sql() and sanitize_text_field() to the parameter. Neither function neutralizes SQL keywords, commas, parentheses, or subquery syntax when the value is embedded in an unquoted ORDER BY context. This leaves the clause fully attacker-controlled and permits injection of subqueries such as (SELECT CASE WHEN ... THEN SLEEP(n) END) for time-based extraction.

Exploitation requires administrator-level privileges, which limits the attack surface to authorized users or compromised administrator accounts. Successful exploitation results in confidentiality impact through database content extraction.

Root Cause

The root cause is improper input neutralization for SQL. esc_sql() escapes quote characters and is designed for values inside quoted string literals, not for structural SQL positions such as ORDER BY column names or direction keywords. The plugin also omits wpdb::prepare() with a whitelist validation for the sort column, allowing arbitrary SQL fragments to become part of the executed statement.

Attack Vector

An authenticated administrator sends a crafted HTTP request to the SEO Booster GSC list table endpoint with a malicious orderby value. The attacker inserts a time-delay subquery and observes server response latency to infer database contents byte by byte. Because the injection is blind and time-based, no direct query output is required to exfiltrate data such as user credentials, session tokens, or WordPress secrets stored in wp_options.

Refer to the Wordfence Vulnerability Analysis and the WordPress SEO Booster Code Reference for the vulnerable code paths.

Detection Methods for CVE-2026-15445

Indicators of Compromise

  • HTTP requests to SEO Booster GSC admin pages containing orderby values with SQL keywords such as SLEEP, BENCHMARK, CASE WHEN, SELECT, or parenthesized subqueries.
  • Unusually long response times on wp-admin requests referencing the SEO Booster list table, consistent with time-based blind injection.
  • Repeated administrator-authenticated requests to the same SEO Booster endpoint with iterative changes to the orderby parameter.

Detection Strategies

  • Inspect WordPress access logs for orderby parameter values that exceed expected column-name length or contain non-alphanumeric characters.
  • Enable MySQL slow query logging to surface SLEEP() or BENCHMARK() calls originating from the SEO Booster query paths.
  • Deploy a web application firewall rule that blocks SQL metacharacters in orderby on plugin admin endpoints.

Monitoring Recommendations

  • Monitor for administrator sessions issuing repeated requests against SB_GSC_List_Table endpoints within short time windows.
  • Alert on spikes in wp-admin request latency correlated with the SEO Booster plugin.
  • Track integrity of administrator accounts and audit new administrator provisioning that could stage this attack.

How to Mitigate CVE-2026-15445

Immediate Actions Required

  • Upgrade the SEO Booster plugin to a version later than 7.3.1 that includes the fix from the WordPress SEO Booster Changeset.
  • Audit WordPress administrator accounts, remove unused accounts, and enforce multi-factor authentication for all remaining administrators.
  • Rotate WordPress secrets in wp-config.php and database credentials if compromise is suspected.

Patch Information

The vendor addressed the issue in the SEO Booster plugin via the changeset referenced above. Administrators should update through the WordPress plugin dashboard or via WP-CLI. Confirm the installed version is greater than 7.3.1 after applying the update.

Workarounds

  • Temporarily deactivate the SEO Booster plugin until the patched version is installed.
  • Restrict access to wp-admin by IP allow-listing at the web server or WAF to reduce exposure of privileged endpoints.
  • Apply a WAF signature that rejects orderby values not matching a strict allow-list of expected column names.
bash
# Example WP-CLI update command
wp plugin update seo-booster --version="latest"
wp plugin get seo-booster --field=version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.