CVE-2026-0722 Shield Security <= 21.0.8 - Cross-Site Request Forgery to SQL Injection

🗓️ 19 Feb 2026 04:36:27Reported by WordfenceType

Shield plugin up to 21.0.8 has CSRF SQL injection via bypassed nonce check in isNonceVerifyRequired.

Reporter	Title	Published	Views	Family All 8
CNNVD	WordPress plugin Shield Security SQL注入漏洞	19 Feb 202600:00	–	cnnvd
CVE	CVE-2026-0722	19 Feb 202604:36	–	cve
NVD	CVE-2026-0722	19 Feb 202607:17	–	nvd
Patchstack	WordPress Shield Security plugin <= 21.0.8 - Cross-Site Request Forgery to SQL Injection vulnerability	19 Feb 202612:52	–	patchstack
Positive Technologies	PT-2026-20628	19 Feb 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-0722	20 Feb 202607:22	–	redhatcve
Vulnrichment	CVE-2026-0722 Shield Security <= 21.0.8 - Cross-Site Request Forgery to SQL Injection	19 Feb 202604:36	–	vulnrichment
Wordfence Blog	Wordfence Intelligence Weekly WordPress Vulnerability Report (February 16, 2026 to February 22, 2026)	26 Feb 202616:02	–	wordfence

[
  {
    "vendor": "paultgoodchild",
    "product": "Shield: Blocks Bots, Protects Users, and Prevents Security Breaches",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "21.0.8",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
research	www.research.cleantalk.org/cve-2026-0722/
plugins	www.plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/ActionRouter/Actions/BaseAction.php
plugins	www.plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/ActionRouter/CaptureAjaxAction.php
plugins	www.plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/Tables/DataTables/LoadData/Traffic/BuildTrafficTableData.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/f53d9579-56e9-41aa-b6b7-2472734ee719
plugins	www.plugins.trac.wordpress.org/changeset

08 Apr 2026 17:33Current

CVSS 3.16.5

EPSS0.00031

CWE-89