How is CVE-2026-54813 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP/HTTPS. Authentication (required): Any low-privilege WordPress account (such as a subscriber-level user) is sufficient; no administrative credentials are needed. Victim interaction (not-required): No victim action is needed; the attacker sends crafted requests directly to the application. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental factors beyond network access and a valid low-privilege account.

What is the impact of CVE-2026-54813?

Reads data from the WordPress database beyond the plugin's own tables, including user credentials, session tokens, and site configuration stored by other plugins or WordPress core. Extracts data through blind timing or boolean inference, which is slower but fully effective against all database content the database user can reach. Causes minor, intermittent availability disruption to the affected WordPress installation as crafted queries increase database load. Scope extends beyond SureDash itself: because the CVSS scope token is Changed, other components sharing the same database or application context are reachable.

Back to search

HIGHCVE-2026-54813Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54813: WordPress SureDash plugin <= 1.8.0 - SQL Injection vulnerability

Q: What is CVE-2026-54813?

A SQL injection vulnerability in the WordPress SureDash plugin (versions up to and including 1.8.0) allows a network-accessible attacker with a low-privilege account to send maliciously crafted database queries to the affected WordPress installation. The vulnerability is of the blind SQL injection variety, meaning the attacker extracts data by observing application behavior rather than direct output. Successful exploitation reads data from the underlying database and causes minor service disruption, with scope extending beyond the plugin itself to other components sharing the database. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-54813 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and upstream plugin repository on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force SureDash allows Blind SQL Injection. This issue affects SureDash: from n/a through 1.8.0.

CVSS v3.1: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A SQL injection vulnerability in the WordPress SureDash plugin (versions up to and including 1.8.0) allows a network-accessible attacker with a low-privilege account to send maliciously crafted database queries to the affected WordPress installation. The vulnerability is of the blind SQL injection variety, meaning the attacker extracts data by observing application behavior rather than direct output. Successful exploitation reads data from the underlying database and causes minor service disruption, with scope extending beyond the plugin itself to other components sharing the database. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-54813 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack and NVD) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the SureDash plugin. Any image carrying SureDash at version 1.8.0 or below is flagged automatically.

Available

Triage

Triage is available through HarborGuard's scoring pipeline, which surfaces this CVE at its CVSS v3.1 score of 8.5 (HIGH) and weights it against each customer's per-environment compliance policy. Findings are routed to the appropriate team inbox within each customer organization based on policy-defined severity thresholds and ownership mappings.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and upstream plugin repository on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP/HTTPS.
AuthenticationRequired
Any low-privilege WordPress account (such as a subscriber-level user) is sufficient; no administrative credentials are needed.
Victim interactionNot required
No victim action is needed; the attacker sends crafted requests directly to the application.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental factors beyond network access and a valid low-privilege account.

Blast Radius

Reads data from the WordPress database beyond the plugin's own tables, including user credentials, session tokens, and site configuration stored by other plugins or WordPress core.
Extracts data through blind timing or boolean inference, which is slower but fully effective against all database content the database user can reach.
Causes minor, intermittent availability disruption to the affected WordPress installation as crafted queries increase database load.
Scope extends beyond SureDash itself: because the CVSS scope token is Changed, other components sharing the same database or application context are reachable.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-54813 is tracked continuously against all customer images that bundle the SureDash plugin at version 1.8.0 or below. Because Brainstorm Force has not yet published a patched release, no automated rebuild is available today, but HarborGuard re-evaluates the advisory on every ingest cycle and will queue a patched rebuild the moment an upstream fix appears. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation that restricts unauthenticated or low-trust traffic to WordPress admin surfaces, database-level egress filtering to limit what the WordPress database user can read, and disabling or removing the SureDash plugin entirely if its functionality is not currently needed. HarborGuard's advisory monitoring ensures no manual polling is required: customers will see the finding updated with fix availability as soon as upstream ships.

See how HarborGuard automates this

Affected packages

Brainstorm Force / SureDash
≤ 1.8.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified