Skip to main content

Collapsing Categories CVE-2026-32366

| EUVDEUVD-2026-11860 HIGH
SQL Injection (CWE-89)
2026-03-13 Patchstack
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11860
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Categories collapsing-categories allows Blind SQL Injection.This issue affects Collapsing Categories: from n/a through <= 3.0.9.

AnalysisAI

A blind SQL injection vulnerability exists in the WordPress Collapsing Categories plugin (versions up to 3.0.9) that allows authenticated attackers with low privileges to execute arbitrary SQL queries against the database. The vulnerability enables extraction of sensitive data including user credentials, though it does not allow direct data modification. With a CVSS score of 8.5 and no current exploitation in the wild (not in KEV), this represents a serious but not critical risk for WordPress sites using this plugin.

Technical ContextAI

The Collapsing Categories plugin by robfelty is a WordPress extension that provides collapsible category listings for posts. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), where user-supplied input is not properly sanitized before being incorporated into database queries. This classic SQL injection flaw allows attackers to inject malicious SQL code through plugin parameters, though the 'blind' nature means results must be inferred through timing or boolean-based responses rather than direct output. The affected product is identified as cpe:2.3:a:robfelty:collapsing-categories:*:*:*:*:*:wordpress:*:* covering all versions through 3.0.9.

RemediationAI

The primary remediation is to update the Collapsing Categories plugin to a version newer than 3.0.9 if available, or remove the plugin entirely if it is not actively used. As an immediate workaround, administrators should review and restrict user privileges to minimize the number of accounts that could exploit this vulnerability, ensuring only trusted users have contributor-level access or higher. Additionally, implementing a Web Application Firewall (WAF) with SQL injection protection rules can help block exploitation attempts while awaiting a patch. Monitor WordPress security advisories and the plugin's official repository for security updates.

Share

CVE-2026-32366 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy