PatchSiren cyber security CVE debrief
CVE-2026-4834 weDevs CVE debrief
CVE-2026-4834 describes an unauthenticated SQL injection in the WP ERP Pro plugin for WordPress affecting all versions up to and including 1.5.1. The issue is tied to insufficient escaping and insufficient query preparation for the user-supplied search_key parameter. Because the flaw can be reached without authentication and is associated with high confidentiality impact, it should be treated as a priority patch for any exposed WordPress instance running the affected plugin.
- Vendor
- weDevs
- Product
- WP ERP Pro
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-22
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-22
Who should care
WordPress administrators, plugin maintainers, hosting providers, and security teams responsible for sites using WP ERP Pro version 1.5.1 or earlier should review this immediately. Data protection teams should also care because the issue may allow database content exposure.
Technical summary
The supplied record identifies CWE-89 SQL Injection and NVD assigns CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network-reachable exploitation without privileges or user interaction, with high confidentiality impact. The vulnerable path is the search_key parameter, where insufficient escaping and insufficient preparation of the existing SQL query can allow additional SQL statements or query manipulation, potentially exposing sensitive database information. The source corpus does not provide exploit proof, affected table names, or post-exploitation behavior beyond data extraction risk.
Defensive priority
High. This is an unauthenticated, network-reachable SQL injection with high confidentiality impact, so exposed WordPress deployments should be prioritized for immediate assessment and update planning.
Recommended defensive actions
- Confirm whether WP ERP Pro is installed and whether any instance is running version 1.5.1 or earlier.
- Apply the vendor-supplied fix or upgrade to a non-affected version as soon as one is available from official sources.
- If immediate patching is not possible, restrict access to the affected application surface and monitor requests involving the search_key parameter.
- Review database and application logs for unusual query patterns or unexpected data access around the affected plugin endpoints.
- Validate that backups are current before making changes, and rotate credentials or secrets if there is evidence of database exposure.
Evidence notes
The CVE description supplied in the corpus states that WP ERP Pro plugin versions up to and including 1.5.1 are vulnerable to SQL injection via the search_key parameter. The NVD source item lists CWE-89 and a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, supporting a high-priority defensive response. The source corpus includes references to wperp.com and a Wordfence advisory URL, but it does not supply a confirmed vendor identity beyond low-confidence attribution, so vendor naming should be treated cautiously.
Official resources
Public CVE record published on 2026-05-22. No KEV entry was supplied in the provided corpus. Vendor attribution in the supplied data is low-confidence and marked for review.