Skip to main content

WP All Import CVE-2026-57628

| EUVDEUVD-2026-39744 HIGH
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-mf27-wm76-5323
7.6
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
5.5 MEDIUM

Requires an authenticated admin (PR:H) over the network with low complexity; SQLi yields full DB read (C:H), limited integrity impact (I:L), no scope change (S:U) since the database is the same security authority.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:50 vuln.today

DescriptionCVE.org

Administrator SQL Injection in WP All Import <= 4.0.1 versions.

AnalysisAI

SQL injection in the WP All Import WordPress plugin (versions 4.0.1 and earlier) allows an authenticated administrator to inject arbitrary SQL into backend database queries, enabling extraction of sensitive data beyond what the plugin UI exposes. The CVSS 3.1 vector (AV:N/AC:L/PR:H) confirms it is network-reachable but requires high privileges, and the original vector's S:C/C:H/A:L rates impact as elevated. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as WordPress administrator
Delivery
Access WP All Import import function
Exploit
Submit crafted SQL in import parameter
Execution
Backend query executes injection
Impact
Extract sensitive database contents

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress administrator account (CVSS PR:H), so this is not a remote unauthenticated flaw - the limiting factor is that the attacker must already hold or compromise admin-level access to the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward a moderate, not urgent, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been granted WordPress administrator access navigates to a WP All Import function and submits an import request containing a crafted parameter that is concatenated into a backend SQL query, allowing them to read arbitrary database tables such as user credentials or other sensitive records. No public POC is identified in the provided data, and the low attack complexity (AC:L) means that once admin access exists, exploitation is straightforward. …
Remediation Upgrade WP All Import to a version later than 4.0.1 once the vendor publishes a fixed release; the provided data does not include an exact patched version, so confirm the fixed version against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-all-import/vulnerability/wordpress-wp-all-import-plugin-4-0-1-sql-injection-vulnerability?_s_id=cve) before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations to identify those running WP All Import version 4.0.1 or earlier; review administrator account activity logs for the past 90 days. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57628 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy