Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:L
Network-reachable SQLi exploitable by subscribers (PR:L) with a privileged-user trigger (UI:R); scope unchanged within WordPress DB, high confidentiality, low integrity from possible DB writes.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions.
AnalysisAI
SQL injection in the Attendance Manager WordPress plugin version 0.6.2 and earlier allows authenticated users with subscriber-level privileges to inject malicious SQL through plugin functionality, leading to disclosure of sensitive database contents. The flaw was reported by Patchstack and impacts WordPress sites that have installed the tnomi Attendance Manager plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), the canonical SQL injection weakness, indicating that user-supplied input is concatenated into a SQL query executed against the WordPress database without proper sanitization, escaping, or use of parameterized statements (wpdb->prepare). The affected component is the WordPress plugin 'Attendance Manager' by author tnomi (CPE: cpe:2.3:a:tnomi:attendance_manager), which is typically used by organizations to track employee or member attendance via the WordPress admin and front-end interfaces. Because WordPress subscriber accounts are the lowest privileged authenticated role - often available through open registration - the relevant query is reachable from a low-trust authenticated context rather than only from administrators.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed from the supplied data - site operators should upgrade the Attendance Manager plugin to the latest version above 0.6.2 via the WordPress plugin dashboard and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/attendance-manager/vulnerability/wordpress-attendance-manager-plugin-0-6-2-sql-injection-vulnerability for the exact fixed release. If immediate patching is not possible, compensating controls include disabling open user registration in WordPress (Settings > General, uncheck 'Anyone can register') to remove the subscriber attack surface - note this blocks legitimate self-service signups; deactivating the Attendance Manager plugin until a fix is verified, which obviously removes attendance-tracking functionality; and deploying a WordPress-aware WAF such as Patchstack, Wordfence, or a generic ModSecurity ruleset to block SQLi patterns against the plugin's endpoints, accepting the usual WAF false-positive trade-off.
More in Attendance Manager
View allCross-site request forgery (CSRF) vulnerability in Attendance Manager 0.5.6 and earlier allows remote attackers to hijac
Cross-site scripting vulnerability in Attendance Manager 0.5.6 and earlier allows remote attackers to inject arbitrary w
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37049
GHSA-9jqg-7fpc-m8xv