Skip to main content

Vitepos CVE-2026-57385

| EUVDEUVD-2026-43459 HIGH
SQL Injection (CWE-89)
2026-07-13 Patchstack
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.5 HIGH

Network-reachable low-complexity SQLi requiring a low-privilege authenticated account (PR:L); blind injection reaches data beyond the plugin boundary (S:C, C:H) with no direct integrity impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:03 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in appsbd Vitepos vitepos-lite allows Blind SQL Injection.This issue affects Vitepos: from n/a through <= 3.4.2.

AnalysisAI

Blind SQL injection in the appsbd Vitepos (vitepos-lite) WordPress point-of-sale plugin affects all versions up to and including 3.4.2, allowing an authenticated attacker with low privileges to inject crafted SQL into backend database queries and infer data via boolean/time-based responses. The CVSS 3.1 base score of 8.5 reflects a scope change (S:C) with high confidentiality impact, meaning the plugin's SQL context can reach database contents beyond its own security boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege WordPress account
Delivery
Reach vulnerable Vitepos POS endpoint
Exploit
Inject blind SQL payload into parameter
Execution
Infer results via boolean/time responses
Impact
Exfiltrate database records

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated WordPress account with at least low privileges (CVSS PR:L), reflecting that the vulnerable Vitepos POS functionality is behind login rather than exposed to anonymous visitors - this is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L) indicates a network-reachable, low-complexity attack requiring some authenticated privilege (PR:L) and no user interaction, with a scope change and high confidentiality impact - a genuinely serious profile for data exposure, though integrity is rated none and availability only low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or obtains a low-privilege authenticated account on a WordPress site running Vitepos ≤ 3.4.2 sends crafted input to a vulnerable POS parameter, embedding blind SQL injection payloads. By observing boolean or time-based differences in the plugin's responses, the attacker iteratively extracts sensitive database contents such as customer records, order data, or WordPress user password hashes. …
Remediation Upgrade the Vitepos / vitepos-lite plugin to a release later than 3.4.2 once appsbd publishes a fixed version; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/vitepos-lite/vulnerability/wordpress-vitepos-plugin-3-4-2-sql-injection-vulnerability) for the exact patched version, which was not enumerated in the available data - no vendor-released fixed version is independently confirmed here, so do not assume a version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all WordPress installations running Vitepos-lite versions 3.4.2 and earlier; audit and restrict database user privileges assigned to the plugin to only necessary tables and operations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57385 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy