CVE-2026-0816 is a time-based SQL Injection vulnerability identified in the All push notification for WP plugin for WordPress, affecting all versions up to and including 1.5.3. The root cause is insufficient escaping and lack of prepared statements for the 'delete_id' parameter, which is user-supplied. This flaw allows attackers with administrator-level privileges to append malicious SQL code to existing queries executed by the plugin. The vulnerability enables extraction of sensitive information from the underlying database by leveraging time delays to infer data, a common technique in blind SQL injection attacks. Exploitation requires no additional user interaction but does require authenticated access at a high privilege level, limiting the attack surface to compromised or malicious administrators. The CVSS v3.1 base score is 4.9 (medium), reflecting the network attack vector, low attack complexity, high privileges required, no user interaction, and a confidentiality impact without integrity or availability impact. No patches or known exploits are currently reported, but the vulnerability poses a risk to data confidentiality on affected WordPress sites. The vulnerability is cataloged under CWE-89, indicating improper neutralization of special elements in SQL commands.

The primary impact of this vulnerability is the potential unauthorized disclosure of sensitive information stored in the WordPress database, such as user credentials, personal data, or configuration details. Since exploitation requires administrator-level access, the threat is mainly from insider threats or attackers who have already compromised admin credentials. The vulnerability does not affect data integrity or availability, so it does not allow data modification or denial of service. However, the ability to extract sensitive data can lead to further attacks, including privilege escalation, identity theft, or lateral movement within the organization’s infrastructure. Organizations running WordPress sites with this plugin are at risk of data breaches, which can damage reputation, incur regulatory penalties, and cause operational disruptions. The medium severity score reflects the balance between the high privilege requirement and the significant confidentiality impact.

1. Apply patches or updates from the plugin vendor as soon as they become available to address the SQL injection vulnerability. 2. Until patches are released, restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns, especially targeting the 'delete_id' parameter. 4. Conduct regular security audits and monitoring of WordPress admin activities to detect unusual behavior that could indicate exploitation attempts. 5. Implement the principle of least privilege by limiting plugin usage and administrative rights only to necessary users. 6. Consider disabling or replacing the vulnerable plugin with alternatives that follow secure coding practices. 7. Educate administrators about the risks of SQL injection and the importance of safeguarding credentials. 8. Monitor security advisories from WordPress and the plugin vendor for updates and exploit reports.