CVE-2026-24977
Published: 25 March 2026
Summary
CVE-2026-24977 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents blind SQL injection in the Organici Library plugin by requiring validation and sanitization of user inputs to neutralize special elements in SQL commands.
SI-2 mandates timely remediation of flaws like CVE-2026-24977 by patching the vulnerable noo-organici-library plugin versions up to 2.1.2.
RA-5 requires vulnerability scanning to identify and remediate SQL injection vulnerabilities such as this one in WordPress plugins prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a publicly accessible WordPress plugin directly enables T1190 (Exploit Public-Facing Application) for initial access by authenticated low-privileged users; the blind SQLi capability facilitates direct extraction of sensitive data from the backend database, mapping to T1213.006 (Data from Information Repositories: Databases).
NVD Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NooTheme Organici Library noo-organici-library allows Blind SQL Injection.This issue affects Organici Library: from n/a through <= 2.1.2.
Deeper analysisAI
CVE-2026-24977 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that enables Blind SQL Injection in the NooTheme Organici Library (noo-organici-library) WordPress plugin. The flaw affects all versions from n/a through 2.1.2 and is classified under CWE-89. It was published on 2026-03-25 with a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality impact.
The vulnerability can be exploited by low-privileged users (PR:L), such as authenticated WordPress roles with minimal permissions, over the network without requiring user interaction. Attackers can leverage blind SQL injection techniques, like boolean-based or time-based queries, to extract sensitive data from the database, achieving high confidentiality impact (C:H). The changed scope (S:C) suggests potential chaining to higher-privilege contexts, with low availability disruption (A:L) and no integrity impact.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/noo-organici-library/vulnerability/wordpress-organici-library-plugin-2-1-2-sql-injection-vulnerability?_s_id=cve, which covers the SQL injection vulnerability in Organici Library plugin version 2.1.2. Security practitioners should update to a patched version if available and apply input sanitization or database query parameterization as interim measures.
Details
- CWE(s)