Skip to main content

Feed KuantoKusta for WooCommerce CVE-2026-39441

| EUVD-2026-36926 CRITICAL
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-wxhf-xjhx-2vh3
WordPress SQLi Feed Kuantokusta For Woocommerce Free
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Network-reachable WordPress plugin endpoint, no auth or interaction (PR:N/UI:N); scope changed because SQLi reads beyond plugin context into core/WooCommerce tables; SELECT-only injection yields C:H, I:N, low A:L from heavy queries.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:34 vuln.today
CVE Published
Jun 15, 2026 - 20:17 cve.org
CRITICAL 9.3

DescriptionCVE.org

Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce - Free <= 5.3 versions.

Articles & Coverage 1

News Critical SQL Injection in WordPress Feed KuantoKusta for WooCommerce - CVE-2026-39441 Jun 16, 2026

AnalysisAI

Unauthenticated SQL injection in the Feed KuantoKusta for WooCommerce Free WordPress plugin (versions n/a through 5.3) allows remote attackers to inject crafted SQL statements without prior authentication. Disclosed via Patchstack and tracked as EUVD-2026-36926, the flaw carries a CVSS 3.1 score of 9.3 with a changed scope, indicating data exposure beyond the plugin's own context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Feed KuantoKusta plugin
Delivery
Send crafted request to vulnerable feed endpoint
Exploit
Inject SQL into tainted parameter
Execution
Database returns sensitive rows in response
Persist
Exfiltrate wp_users hashes and WooCommerce customer data
Impact
Crack hashes offline for follow-on account takeover
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against any WordPress site with the Feed KuantoKusta for WooCommerce - Free plugin (versions through 5.3) installed and active, reachable over HTTP/HTTPS. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L describes a network-reachable, low-complexity, unauthenticated, no-interaction attack with high confidentiality impact and scope change - the canonical profile of a serious SQLi against a public WordPress endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An opportunistic attacker scanning the internet for WordPress sites running the Feed KuantoKusta plugin sends a crafted HTTP GET or POST request to the vulnerable feed endpoint, injecting UNION-based or time-based SQL payloads into a tainted parameter. Because no authentication is required and complexity is low, the attacker extracts wp_users password hashes and WooCommerce customer order data (PII, addresses, possibly partial payment metadata) in a single automated pass. …
Remediation No vendor-released patched version is independently confirmed in the supplied data - the input only specifies vulnerable range '≤5.3' without naming a fixed release - so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/feed-kuantokusta-for-woocommerce/vulnerability/wordpress-feed-kuantokusta-for-woocommerce-free-plugin-5-3-sql-injection-vulnerability for the latest fixed version and upgrade to any release above 5.3 if published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all WordPress environments for Feed KuantoKusta through version 5.3; disable the plugin immediately on all affected systems, or if business-critical, fully isolate affected servers from external network access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39441 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy