CVE-2026-31922
Published: 13 March 2026
Summary
CVE-2026-31922 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31922 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that enables Blind SQL Injection in the Ays Pro Fox LMS (fox-lms) WordPress plugin. This flaw affects Fox LMS versions from n/a through 1.0.6.3 and is classified under CWE-89.
The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), indicating high severity. Low-privileged authenticated users (PR:L) can exploit it remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows high-impact confidentiality breaches, such as extracting sensitive data via blind SQL techniques, alongside low availability disruption and a scope change (S:C) that amplifies effects.
Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/fox-lms/vulnerability/wordpress-fox-lms-plugin-1-0-6-3-sql-injection-vulnerability?_s_id=cve, which details the SQL injection vulnerability in the WordPress Fox LMS plugin version 1.0.6.3.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11798
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Fox LMS fox-lms allows Blind SQL Injection.This issue affects Fox LMS: from n/a through <= 1.0.6.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application) for remote authenticated access and T1213.006 (Data from Databases) via blind SQL data extraction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by implementing input validation to neutralize special elements in SQL commands used by the vulnerable Fox LMS plugin.
Ensures timely identification, reporting, testing, and installation of patches for the specific SQL injection flaw in Fox LMS versions through 1.0.6.3.
Boundary protection with web application firewalls monitors and blocks malicious SQL injection payloads targeting the vulnerable WordPress plugin endpoint.