Skip to main content

SimplePay for WooCommerce CVE-2026-56036

| EUVDEUVD-2026-39699 CRITICAL
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-m96r-cgp3-44h2
9.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.2 HIGH

Unauthenticated network-reachable SQLi gives AV:N/AC:L/PR:N/UI:N with C:H for full DB read; I:L for possible write, A:N, and scope unchanged as impact stays within the app's own database.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:44 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in 워드프레스 결제 심플페이 <= 5.5.6 versions.

AnalysisAI

Unauthenticated SQL injection in the WordPress payment plugin 워드프레스 결제 심플페이 (SimplePay / pgall-for-woocommerce) version 5.5.6 and earlier lets remote attackers inject arbitrary SQL against the WooCommerce database without any authentication or user interaction. Per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N), exploitation is trivial and network-reachable, with high confidentiality impact and a changed scope. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WooCommerce site with SimplePay plugin
Exploit
Send crafted request to injectable parameter
Execution
Inject SQL into database query
Impact
Exfiltrate customer and credential data

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond having the 워드프레스 결제 심플페이 (pgall-for-woocommerce) plugin installed and active at version 5.5.6 or earlier on a network-reachable WordPress/WooCommerce site - the CVSS vector AV:N/AC:L/PR:N/UI:N confirms remote, unauthenticated exploitation with no user interaction against the affected versions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially conflicting in detail but consistently point to high severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates WooCommerce stores running the SimplePay (pgall-for-woocommerce) plugin and sends a single crafted HTTP request to a vulnerable plugin parameter, embedding SQL that the backend executes against the WordPress database. Because no authentication or user interaction is required (PR:N/UI:N) and complexity is low (AC:L), the attacker can extract customer records, order data, and password hashes from wp_users in an automated, scalable fashion. …
Remediation No vendor-released patch version was identified in the available data, so a confirmed fixed release cannot be cited - monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/pgall-for-woocommerce/vulnerability/wordpress-plugin-5-5-6-sql-injection-vulnerability) and the plugin's update channel for a release above 5.5.6 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Immediately disable pgall-for-woocommerce on all WordPress instances; identify affected sites and restrict database user permissions for payment functions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56036 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy