Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Network-reachable unauthenticated SQLi (AV:N/AC:L/PR:N/UI:N); scope change as DB tier beyond plugin (S:C); full data read (C:H), limited write via injection (I:L), no availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in WP Data Access <= 5.5.70 versions.
AnalysisAI
Unauthenticated SQL injection in the WP Data Access WordPress plugin (versions <= 5.5.70) allows remote attackers to inject arbitrary SQL through the plugin's interfaces without authentication. The high CVSS 9.3 score reflects a scope change (S:C) that lets the injection reach beyond the vulnerable component, exposing the entire WordPress database to confidentiality compromise. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
WP Data Access is a third-party WordPress plugin (CPE: passionate_programmer_peter:wp_data_access) that provides data management, table editing, and reporting features against the WordPress database. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated into SQL statements without proper parameterization or escaping. Because the plugin operates directly against the WordPress MySQL/MariaDB backend with the privileges of the WordPress database user, injection here yields access to all WordPress tables including wp_users and wp_options.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data, but administrators should upgrade WP Data Access to the latest version above 5.5.70 via the WordPress plugin dashboard and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-data-access/vulnerability/wordpress-wp-data-access-plugin-5-5-70-sql-injection-vulnerability for the exact fixed release. If immediate patching is not possible, deactivate the WP Data Access plugin entirely (acceptable trade-off for sites not actively using its data management features) or place the WordPress admin and plugin endpoints behind a Web Application Firewall such as Patchstack, Wordfence, or Cloudflare with SQLi signature rules enabled (side effect: may produce false positives on legitimate queries containing SQL keywords). Additionally, restrict database user privileges so the WordPress DB account cannot read MySQL system tables or execute FILE operations, limiting the blast radius of successful injection.
More in Wp Data Access
View allThe WP Data Access WordPress plugin before 5.0.0 does not properly sanitise and escape the backup_date parameter before
The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. R
Cross-Site Request Forgery (CSRF) vulnerability in Passionate Programmers B.V. Rated medium severity (CVSS 4.3), this vu
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36830
GHSA-7qrp-75jc-6288