Skip to main content

Publishpress Revisions CVE-2026-32539

| EUVDEUVD-2026-15913 CRITICAL
SQL Injection (CWE-89)
2026-03-25 Patchstack
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15913
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Revisions revisionary allows Blind SQL Injection.This issue affects PublishPress Revisions: from n/a through <= 3.7.23.

AnalysisAI

A blind SQL injection vulnerability exists in the PublishPress Revisions WordPress plugin through version 3.7.23, allowing attackers to execute arbitrary SQL commands against the underlying database. The vulnerability affects all installations of PublishPress Revisions up to and including version 3.7.23, enabling attackers to extract sensitive data, modify database contents, or potentially achieve remote code execution depending on database permissions and WordPress configuration. No CVSS score or EPSS data is currently available, and KEV status is unknown, though the vulnerability has been documented by Patchstack security researchers with a public reference available.

Technical ContextAI

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which represents a failure to properly sanitize or parameterize SQL queries within the application. PublishPress Revisions, identified via CPE cpe:2.3:a:publishpress:publishpress_revisions:*:*:*:*:*:*:*:*, is a WordPress plugin that manages post revisions and versioning. The blind SQL injection variant indicates that attackers cannot directly observe query results in HTTP responses, requiring time-based or boolean-based inference techniques to extract data. The root cause stems from insufficient input validation or use of string concatenation instead of prepared statements when constructing SQL queries, a common WordPress plugin vulnerability pattern.

RemediationAI

Immediately upgrade PublishPress Revisions to a version above 3.7.23 if such a patched version is available from the PublishPress development team. Consult the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/revisionary/vulnerability/wordpress-publishpress-revisions-plugin-3-7-23-sql-injection-vulnerability and contact PublishPress directly for patch availability and release schedules. As an interim measure if patching is delayed, restrict access to PublishPress Revisions functionality via WordPress user role restrictions, disable the plugin if not actively required, and implement Web Application Firewall (WAF) rules to block common SQL injection patterns. Monitor WordPress database activity for suspicious queries, and review database user permissions to follow the principle of least privilege.

Share

CVE-2026-32539 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy