Skip to main content

Attendance Manager CVE-2026-52712

| EUVDEUVD-2026-37049 HIGH
SQL Injection (CWE-89)
2026-06-16 Patchstack GHSA-9jqg-7fpc-m8xv
7.6
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:L
vuln.today AI
6.3 MEDIUM

Network-reachable SQLi exploitable by subscribers (PR:L) with a privileged-user trigger (UI:R); scope unchanged within WordPress DB, high confidentiality, low integrity from possible DB writes.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 10:24 vuln.today

DescriptionCVE.org

Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions.

AnalysisAI

SQL injection in the Attendance Manager WordPress plugin version 0.6.2 and earlier allows authenticated users with subscriber-level privileges to inject malicious SQL through plugin functionality, leading to disclosure of sensitive database contents. The flaw was reported by Patchstack and impacts WordPress sites that have installed the tnomi Attendance Manager plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), the canonical SQL injection weakness, indicating that user-supplied input is concatenated into a SQL query executed against the WordPress database without proper sanitization, escaping, or use of parameterized statements (wpdb->prepare). The affected component is the WordPress plugin 'Attendance Manager' by author tnomi (CPE: cpe:2.3:a:tnomi:attendance_manager), which is typically used by organizations to track employee or member attendance via the WordPress admin and front-end interfaces. Because WordPress subscriber accounts are the lowest privileged authenticated role - often available through open registration - the relevant query is reachable from a low-trust authenticated context rather than only from administrators.

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed from the supplied data - site operators should upgrade the Attendance Manager plugin to the latest version above 0.6.2 via the WordPress plugin dashboard and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/attendance-manager/vulnerability/wordpress-attendance-manager-plugin-0-6-2-sql-injection-vulnerability for the exact fixed release. If immediate patching is not possible, compensating controls include disabling open user registration in WordPress (Settings > General, uncheck 'Anyone can register') to remove the subscriber attack surface - note this blocks legitimate self-service signups; deactivating the Attendance Manager plugin until a fix is verified, which obviously removes attendance-tracking functionality; and deploying a WordPress-aware WAF such as Patchstack, Wordfence, or a generic ModSecurity ruleset to block SQLi patterns against the plugin's endpoints, accepting the usual WAF false-positive trade-off.

Share

CVE-2026-52712 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy