EIP-2026-113572
PRE-CVEWordPress Plugin Auctions 1.8.8 - 'wpa_id' SQL Injection
Title source: legacyExploitation Summary
EIP tracks 1 public exploit for EIP-2026-113572. PoCs published by sherl0ck_.
AI-analyzed exploit summary The exploit demonstrates an SQL injection vulnerability in the Auctions plug-in for WordPress by injecting a malicious SQL query via the 'download_key' parameter. The payload uses a time-based blind SQLi technique with BENCHMARK and MD5 functions to confirm vulnerability.
Description
WordPress Plugin Auctions 1.8.8 - 'wpa_id' SQL Injection
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by sherl0ck_ · textwebappsphp
https://www.exploit-db.com/exploits/36135
The exploit demonstrates an SQL injection vulnerability in the Auctions plug-in for WordPress by injecting a malicious SQL query via the 'download_key' parameter. The payload uses a time-based blind SQLi technique with BENCHMARK and MD5 functions to confirm vulnerability.
Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target:
Owen Cutajar Auctions versions 1.8.8 and prior
No auth needed
Prerequisites:
Access to the vulnerable WordPress plugin endpoint
devstral-2 · analyzed Feb 18, 2026
Full analysis →
Details
Status
pre_cve
Tracked Since
Feb 18, 2026