Skip to main content

WC Vendors Marketplace CVE-2026-54838

| EUVDEUVD-2026-39368 HIGH
SQL Injection (CWE-89)
2026-06-25 Patchstack GHSA-837c-38p7-p5rv
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
7.1 HIGH

Network-reachable injection needing only a Subscriber account (PR:L) with no UI; SQLi yields high data disclosure (C:H) and plausible limited data modification (I:L), scored S:U absent evidence of cross-system impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:19 vuln.today

DescriptionCVE.org

Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions.

AnalysisAI

SQL injection in the WC Vendors Marketplace WordPress plugin (versions <= 2.6.8) allows authenticated users holding only a low-privilege Subscriber-level account to inject arbitrary SQL into backend queries. Reported by Patchstack and tracked as CVE-2026-54838 (CWE-89), the flaw carries a CVSS 8.5 with a scope change, reflecting that a minimally-privileged marketplace account can read sensitive data across the WordPress database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain Subscriber account
Delivery
Authenticate to WordPress site
Exploit
Send crafted request with SQL payload to plugin endpoint
Execution
Injected query executes against database
Impact
Exfiltrate sensitive data beyond own scope

Vulnerability AssessmentAI

Exploitation Exploitation requires the WC Vendors Marketplace plugin installed and active at version 2.6.8 or earlier, plus an authenticated WordPress account at Subscriber level or higher (CVSS PR:L) - the attacker must be able to log in, so a fully unauthenticated visitor cannot trigger it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L) describes a network-reachable, low-complexity attack requiring low privileges and no user interaction, yielding high confidentiality impact, low availability impact, and a scope change - a credible 8.5 'High'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free Subscriber account on a WordPress marketplace running WC Vendors Marketplace 2.6.8 or earlier, then sends a crafted request to a vulnerable plugin endpoint with malicious SQL in a parameter. Because the input is concatenated into a database query, the attacker extracts data from other tables - such as user records, password hashes, or order information - beyond their own account scope. …
Remediation No vendor-released patch version is identified in the available data, so the primary action is to upgrade to the first release later than 2.6.8 published by Rymera Web Co once available and to monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wc-vendors/vulnerability/wordpress-wc-vendors-marketplace-plugin-2-6-8-sql-injection-vulnerability) and the official WC Vendors changelog for the exact fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations using WC Vendors Marketplace plugin versions 2.6.8 or below. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54838 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy