Skip to main content

WP Data Access CVE-2026-42665

| EUVDEUVD-2026-36830 CRITICAL
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-7qrp-75jc-6288
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Network-reachable unauthenticated SQLi (AV:N/AC:L/PR:N/UI:N); scope change as DB tier beyond plugin (S:C); full data read (C:H), limited write via injection (I:L), no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:58 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions.

AnalysisAI

Unauthenticated SQL injection in the WP Data Access WordPress plugin (versions <= 5.5.70) allows remote attackers to inject arbitrary SQL through the plugin's interfaces without authentication. The high CVSS 9.3 score reflects a scope change (S:C) that lets the injection reach beyond the vulnerable component, exposing the entire WordPress database to confidentiality compromise. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

WP Data Access is a third-party WordPress plugin (CPE: passionate_programmer_peter:wp_data_access) that provides data management, table editing, and reporting features against the WordPress database. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated into SQL statements without proper parameterization or escaping. Because the plugin operates directly against the WordPress MySQL/MariaDB backend with the privileges of the WordPress database user, injection here yields access to all WordPress tables including wp_users and wp_options.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data, but administrators should upgrade WP Data Access to the latest version above 5.5.70 via the WordPress plugin dashboard and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-data-access/vulnerability/wordpress-wp-data-access-plugin-5-5-70-sql-injection-vulnerability for the exact fixed release. If immediate patching is not possible, deactivate the WP Data Access plugin entirely (acceptable trade-off for sites not actively using its data management features) or place the WordPress admin and plugin endpoints behind a Web Application Firewall such as Patchstack, Wordfence, or Cloudflare with SQLi signature rules enabled (side effect: may produce false positives on legitimate queries containing SQL keywords). Additionally, restrict database user privileges so the WordPress DB account cannot read MySQL system tables or execute FILE operations, limiting the blast radius of successful injection.

Share

CVE-2026-42665 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy