{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32516", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:13.806Z", "datePublished": "2026-03-25T16:15:06.373Z", "dateUpdated": "2026-03-25T16:15:06.373Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "miraculouscore", "product": "Miraculous Core Plugin", "vendor": "kamleshyadav", "versions": [{"changes": [{"at": "2.1.2", "status": "unaffected"}], "lessThanOrEqual": "< 2.1.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:41.339Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Blind SQL Injection.<p>This issue affects Miraculous Core Plugin: from n/a through < 2.1.2.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Blind SQL Injection.This issue affects Miraculous Core Plugin: from n/a through < 2.1.2."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:06.373Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/miraculouscore/vulnerability/wordpress-miraculous-core-plugin-plugin-2-1-2-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Miraculous Core Plugin plugin < 2.1.2 - SQL Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Blind SQL Injection.This issue affects Miraculous Core Plugin: from n/a through < 2.1.2."}], "id": "CVE-2026-32516", "lastModified": "2026-03-25T17:17:04.147", "metrics": {}, "published": "2026-03-25T17:17:04.147", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/miraculouscore/vulnerability/wordpress-miraculous-core-plugin-plugin-2-1-2-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:28:22.451170+00:00", "value": {"mitigation_remediation": ["Update the Miraculous Core Plugin to version 2.1.2 or newer. If an update is not feasible, uninstall or disable the plugin entirely. Restrict administrative access to trusted users and monitor database logs for anomalous activity. Verify that other plugins or custom code do not introduce similar input validation issues."], "summary": {"action": "Immediate Patch", "impact": "Blind SQL Injection allowing unauthorized data exposure"}, "threat_synthesis": {"affected_systems": "The flaw affects WordPress installations running the Miraculous Core Plugin developed by kamleshyadav. Versions from the earliest (n/a) through any release prior to 2.1.2 are vulnerable. Any deployment that has not upgraded to 2.1.2 or later is at risk.", "description_and_impact": "The vulnerability arises from improper neutralization of special elements used in an SQL command within the Miraculous Core Plugin. This flaw permits a blind SQL injection attack, enabling an attacker to extract sensitive data or possibly alter database contents if the input is not adequately sanitized.", "risk_and_exploitability": "The CVSS base score is not supplied, and the EPSS is unavailable, but the presence of an unauthenticated SQL injection vulnerability in a widely deployed WordPress plugin would represent a high risk in a public-facing site. The likely attack vector involves supplying malicious input via plugin parameters exposed in HTTP requests; no authentication appears required. Since the vulnerability is listed in the NVD, it may already be in the know to attackers, increasing exploit likelihood."}}}}, "created": "2026-03-25T21:47:23.916059+00:00", "updated": "2026-03-25T21:47:23.916099+00:00", "vendors": []}