The myLinksDump plugin for WordPress, developed by silvercover, suffers from a SQL Injection vulnerability identified as CVE-2026-2279. This vulnerability exists in all versions up to and including 1.6 due to inadequate escaping and preparation of user-supplied input in the 'sort_by' and 'sort_order' parameters. Specifically, these parameters are incorporated directly into SQL queries without sufficient sanitization, enabling an authenticated user with administrator-level privileges or higher to append arbitrary SQL commands. This improper neutralization of special elements (CWE-89) allows attackers to manipulate backend database queries, potentially extracting sensitive data, modifying database contents, or causing denial of service by corrupting the database state. The vulnerability requires no user interaction beyond authentication, and the attack vector is network-based with low attack complexity. The CVSS 3.1 base score is 7.2, reflecting high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk given the high privileges required and the widespread use of WordPress and its plugins. The lack of available patches at the time of reporting necessitates immediate attention from administrators to mitigate potential exploitation.

If exploited, this vulnerability can lead to unauthorized disclosure of sensitive information stored in the WordPress database, including user credentials, configuration data, and potentially other sensitive content managed by the site. Attackers with administrator access can modify or delete data, compromising the integrity and availability of the website and its services. This could result in website defacement, data breaches, loss of customer trust, and regulatory compliance violations. Since the vulnerability requires administrator-level access, the threat is primarily from insider threats or compromised administrator accounts, but the impact remains severe due to the breadth of control such users have. Organizations relying on this plugin for critical website functionality face risks of operational disruption and reputational damage. Additionally, the vulnerability could be leveraged as a foothold for further attacks within the network if the WordPress instance is part of a larger infrastructure.

Administrators should immediately review and restrict administrator account access to trusted personnel only, ensuring strong authentication mechanisms such as multi-factor authentication are in place to reduce the risk of account compromise. Until an official patch is released, consider disabling or uninstalling the myLinksDump plugin to eliminate the attack surface. If disabling is not feasible, implement web application firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'sort_by' and 'sort_order' parameters. Conduct thorough input validation and sanitization on all user inputs at the application level. Regularly audit logs for unusual database query patterns or administrator activities that could indicate exploitation attempts. Keep WordPress core and all plugins updated to the latest versions once patches become available. Finally, perform regular backups of the website and database to enable rapid recovery in case of compromise.