PatchSiren cyber security CVE debrief
CVE-2026-8978 crafium CVE debrief
The OptinCraft – Drag & Drop Optins & Popup Builder for WordPress plugin for WordPress is vulnerable to generic SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Vendor
- crafium
- Product
- OptinCraft – Drag & Drop Optins & Popup Builder for WordPress
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Users of OptinCraft – Drag & Drop Optins & Popup Builder for WordPress plugin for WordPress, version 1.2.0 or earlier.
Technical summary
The vulnerability exists in the OptinCraft – Drag & Drop Optins & Popup Builder for WordPress plugin. The 'order_by' parameter is not properly sanitized, allowing attackers to inject malicious SQL code. The vulnerability requires administrator-level access and above.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a patched version of the plugin, if available.
- Restrict access to the plugin's functionality to only trusted users.
- Monitor database activity for suspicious queries.
Evidence notes
The CVE-2026-8978 vulnerability was reported by [email protected]. The vulnerability affects all versions up to and including 1.2.0 of the OptinCraft – Drag & Drop Optins & Popup Builder for WordPress plugin.
Official resources
CVE-2026-8978 was published on 2026-06-06T04:17:41.513Z and modified on 2026-06-08T14:57:14.757Z.