Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Revisions revisionary allows Blind SQL Injection.This issue affects PublishPress Revisions: from n/a through <= 3.7.23.
AnalysisAI
A blind SQL injection vulnerability exists in the PublishPress Revisions WordPress plugin through version 3.7.23, allowing attackers to execute arbitrary SQL commands against the underlying database. The vulnerability affects all installations of PublishPress Revisions up to and including version 3.7.23, enabling attackers to extract sensitive data, modify database contents, or potentially achieve remote code execution depending on database permissions and WordPress configuration. No CVSS score or EPSS data is currently available, and KEV status is unknown, though the vulnerability has been documented by Patchstack security researchers with a public reference available.
Technical ContextAI
The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which represents a failure to properly sanitize or parameterize SQL queries within the application. PublishPress Revisions, identified via CPE cpe:2.3:a:publishpress:publishpress_revisions:*:*:*:*:*:*:*:*, is a WordPress plugin that manages post revisions and versioning. The blind SQL injection variant indicates that attackers cannot directly observe query results in HTTP responses, requiring time-based or boolean-based inference techniques to extract data. The root cause stems from insufficient input validation or use of string concatenation instead of prepared statements when constructing SQL queries, a common WordPress plugin vulnerability pattern.
RemediationAI
Immediately upgrade PublishPress Revisions to a version above 3.7.23 if such a patched version is available from the PublishPress development team. Consult the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/revisionary/vulnerability/wordpress-publishpress-revisions-plugin-3-7-23-sql-injection-vulnerability and contact PublishPress directly for patch availability and release schedules. As an interim measure if patching is delayed, restrict access to PublishPress Revisions functionality via WordPress user role restrictions, disable the plugin if not actively required, and implement Web Application Firewall (WAF) rules to block common SQL injection patterns. Monitor WordPress database activity for suspicious queries, and review database user permissions to follow the principle of least privilege.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15913