A SQL injection vulnerability has appeared in the Team WordPress plugin. Tracked as CVE-2025-14124 with a CVSS score of 8.6 (High), this flaw affects all versions before 5.0.11 and allows unauthenticated attackers to execute arbitrary SQL queries through an AJAX action handler. The Team plugin, developed by AccessPress Themes, has over 5,000 active installations and is commonly used by businesses, agencies, and organizations to showcase their team members online.
The Team plugin provides functionality for displaying team members, testimonials, and staff directories in an attractive, grid-based layout. Users can create detailed team member profiles with photos, biographies, social media links, skills bars, and contact information. The plugin includes shortcodes and widgets that make it easy to embed team sections anywhere on a WordPress site. It also supports custom post types for team members and includes built-in styling options that match most WordPress themes.
SQL injection remains one of the most dangerous classes of web application vulnerabilities despite being well-understood and preventable. The root cause is almost always the same: the application concatenates user-supplied data directly into a SQL query string without proper sanitization or parameterization. In the case of CVE-2025-14124, the plugin before version 5.0.11 fails to properly sanitize and escape a parameter before using it in a SQL statement. The AJAX action passes this vulnerable parameter through to the query and is available to unauthenticated users. Anyone who can send HTTP requests to the target site can exploit this flaw.
CVE-2026-4097 Team WordPress SQL injection: Understanding SQL Injection
SQL injection (SQLi) is a code injection technique. An attacker inserts malicious SQL statements into input fields or URL parameters that then pass to a database CVE-2026-4119 Create DB Tables server for execution. When a web application fails to properly validate or sanitize user input before using it in a database query, the attacker can manipulate the query structure to perform unintended actions on the database.
The basic mechanics of SQL injection involve breaking out of the intended query context by injecting SQL metacharacters. For example, a query could look like “SELECT * FROM team_members WHERE id = ” . $_GET[‘member_id’]. An attacker can supply member_id as “1 OR 1=1” to return all records, or “1; DROP TABLE team_members” to delete the entire table. The database interprets the injected SQL as part of the legitimate query, executing commands that the application developer never intended.
In WordPress, the recommended defense against SQL injection uses $wpdb->prepare() with placeholder-based parameterization. Instead of concatenating user input directly into the query string, the developer writes a query with %d, %s, or %f placeholders. The developer then passes the user input as a separate parameter. WordPress safely escapes and quotes the values before inserting them into the query. This prevents SQL injection regardless of what the user input contains.
CVE-2026-4097 Team WordPress SQL injection: The Vulnerability in Detail
The Team plugin version 5.0.10 and earlier contains an AJAX action handler that processes user-supplied input without proper sanitization. The vulnerable endpoint uses wp_ajax_ and wp_ajax_nopriv_ hooks, meaning both authenticated and unauthenticated users can access it. This doubles the risk because even a visitor with no account on the site can exploit the vulnerability.
The specific vulnerable code pattern involves directly interpolating a user-supplied parameter into a SQL query without using $wpdb->prepare(). Instead of this safe approach:
$results = $wpdb->get_results( $wpdb->prepare(
"SELECT * FROM {$wpdb->posts} WHERE ID = %d",
$user_input
) );The plugin uses an unsafe pattern similar to:
$results = $wpdb->get_results(
"SELECT * FROM {$wpdb->posts} WHERE ID = " . $user_input
);This direct concatenation allows an attacker to inject arbitrary SQL clauses. By crafting a malicious value for the $user_input parameter, the attacker can extract data from any table in the WordPress database. They can also modify existing data, insert new records, or even drop entire tables.
What an Attacker Can Steal
SQL injection vulnerabilities in WordPress plugins are particularly dangerous. They allow attackers to extract the entire database, including user credentials, password hashes, and sensitive configuration data. With access to password hashes, an attacker can crack weak passwords offline or use the hash to authenticate directly on sites that accept phpass hashes. The WordPress users table (wp_users) contains usernames, email addresses, and password hashes for every registered user. A single SQL injection can dump this entire table.
Beyond user credentials, the WordPress database contains a wealth of sensitive data. The wp_options table stores site configuration including database connection details, API keys for various services, security keys and salts, and other sensitive settings. The wp_posts table contains all content including private posts, draft content, and page revisions that may contain sensitive information. The wp_postmeta table stores metadata for posts including form submissions, custom field data, and e-commerce order details if WooCommerce is installed.
For e-commerce sites running alongside this plugin, an SQL injection can expose customer names, addresses, phone numbers, order histories, and in some cases partial payment data. The wp_usermeta table stores user profile information including billing addresses, shipping addresses, and custom user fields. This data may include sensitive personal data protected by privacy regulations like GDPR or CCPA. A data breach from SQL injection could carry legal and financial consequences beyond the immediate compromise.
In worst-case scenarios, the attacker can use SQL injection to write new files to the server using the MySQL SELECT … INTO OUTFILE statement. If the database user has FILE privileges and permissions allow it, the attacker can write a PHP webshell to the WordPress uploads directory or a theme directory. Once a webshell is in place, the attacker has persistent file-level access to the server. Cleanup becomes significantly more difficult.
Impact and CVSS Breakdown
- CVSS Score: 8.6 (High)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Affected Versions: Team plugin before version 5.0.11
The CVSS 8.6 rating reflects the high severity of this SQL injection vulnerability. The attack requires no privileges, no user interaction, and has low complexity. The impact on confidentiality, integrity, and availability all rate as High because SQL injection can read any data, modify or delete any data, and potentially write files to the server. The high availability impact may seem less intuitive, but SQL injection can drop tables, corrupt data, or execute resource-intensive queries. These queries can degrade database performance to the point of denial of service.
Detecting SQL Injection Attacks
Detecting SQL injection attempts requires monitoring incoming request patterns and database query behavior. Common indicators of SQL injection include request parameters containing SQL keywords like UNION, SELECT, INSERT, or DROP. SQL comment syntax like double-hyphens or hash signs also indicates injection attempts. URL-encoded SQL metacharacters in GET or POST parameters are another red flag. Repeated requests with varying SQL injection payloads suggest an automated scanning tool probing for vulnerable endpoints. Database error messages appearing in HTTP responses or error logs may indicate successful injection attempts.
Trusti Security’s Firewall module includes SQL injection detection rules that inspect all incoming requests for SQL injection patterns. The rules analyze query parameters, POST data, cookies, and HTTP headers for SQL metacharacters and known injection patterns. When the firewall detects a SQL injection attempt, it blocks the request before it reaches the WordPress application. This prevents the malicious query from ever reaching the database.
Virtual patching is another valuable feature for SQL injection protection. Even before the plugin developer releases an official update, Trusti Security’s virtual patching system can block exploitation attempts against known vulnerable parameters. This provides time-zero protection when a vulnerability becomes public but a patch is not yet available.
How to Protect Your Site
WordPress SQL injection prevention relies on prepared statements and proper input sanitization. Plugin developers should use $wpdb->prepare() for all database queries without exception. Site owners running the Team plugin should update to version 5.0.11 or later immediately. The patched version replaces all unsafe direct query concatenation with properly parameterized queries using $wpdb->prepare().
Beyond updating vulnerable plugins, use a Web Application Firewall (WAF) to block SQL injection attempts. Trusti Security’s Firewall module includes SQL injection detection rules that block malicious requests before they reach your database. Combined with regular updates and vulnerability scanning, this provides layered protection against injection attacks. The Core Integrity Scanner can detect modified files after a successful SQL injection attack. This helps you identify and respond to compromises quickly.
Regular database backups are essential. Even with the best security measures, no defense is perfect. Maintain encrypted, off-site backups of your WordPress database that reside separately from your web server. If a SQL injection attack succeeds in deleting or corrupting data, recent backups are your last line of defense. Test your backup restoration process periodically to ensure it works when you need it.
The Team plugin is available on WordPress.org at wordpress.org/plugins/team/. Update to version 5.0.11 or later if you are running an affected version.