Skip to main content

WP Post Author CVE-2026-57643

| EUVDEUVD-2026-39758 HIGH
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-chrq-mj9q-326j
8.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable, low-complexity SQLi needing a Contributor account (PR:L); confidentiality high from DB read, scope unchanged within the WordPress DB, integrity/availability impact not established.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:49 vuln.today

DescriptionCVE.org

Contributor SQL Injection in WP Post Author <= 3.9.1 versions.

AnalysisAI

SQL injection in the WP Post Author WordPress plugin (versions 3.9.1 and earlier) allows authenticated users with Contributor-level access to inject arbitrary SQL into the site database. Because exploitation requires only a low-privilege account (PR:L) over the network with no user interaction, any site that permits self-registration or has untrusted contributors is at material risk of database content disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor-level account
Delivery
Reach vulnerable plugin parameter
Exploit
Inject crafted SQL payload
Execution
Database executes malicious query
Impact
Extract sensitive table data (users/secrets)

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account at Contributor privilege level or higher (CVSS PR:L) on a site running WP Post Author version 3.9.1 or earlier; the attack is performed remotely over the network (AV:N) with low complexity (AC:L) and no victim interaction (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L, base 8.5) indicates an easily reachable, low-privilege, high-confidentiality issue, consistent with a Contributor-triggered SQLi. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a Contributor account on a WordPress site running WP Post Author <= 3.9.1, then submits a crafted value to the plugin's vulnerable parameter that injects SQL into a backend query. The injection is used to extract sensitive rows - for example password hashes and secret keys from wp_users/wp_usermeta - enabling further account compromise. …
Remediation Upgrade WP Post Author to the latest release above 3.9.1 once confirmed via the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-post-author/vulnerability/wordpress-wp-post-author-plugin-3-9-1-sql-injection-vulnerability?_s_id=cve); the input data does not specify an exact fixed version, so the patched build should be verified against the vendor/Patchstack listing before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all deployments of WP Post Author plugin, identify active versions, and audit contributor account controls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy