Skip to main content

iNET Webkit CVE-2026-57752

| EUVDEUVD-2026-41308 HIGH
SQL Injection (CWE-89)
2026-07-02 Patchstack GHSA-cjmw-28wm-95mp
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
7.1 HIGH

Network-reachable SQLi needing a Contributor account (PR:L) at low complexity; primarily discloses database data (C:H) with limited integrity impact via injection (I:L) and no clear availability effect; scope kept unchanged as impact stays within the DB-backed application.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 12:24 vuln.today
CVE Published
Jul 02, 2026 - 11:15 cve.org
HIGH 8.5

DescriptionCVE.org

Contributor SQL Injection in iNET Webkit 1.2.4 versions.

AnalysisAI

SQL injection in the iNET Webkit WordPress plugin (version 1.2.4 and prior) lets authenticated users holding at least the Contributor role inject arbitrary SQL through unsanitized input, exposing the WordPress database. Reported by Patchstack and carrying a CVSS 8.5 (scope-changed) rating, it enables read access to sensitive data such as user credentials and secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress Contributor account
Delivery
Send crafted input to vulnerable plugin parameter
Exploit
Injected SQL executes against database
Execution
Extract user credentials and secrets
Impact
Escalate to admin / account takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account with at least the Contributor role (CVSS PR:L), reachable over the network with no user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L describes a network-reachable, low-complexity attack requiring low privileges (a Contributor account) with no user interaction, a changed scope, high confidentiality impact, no integrity impact, and low availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a WordPress Contributor account on a site running iNET Webkit 1.2.4, then submits crafted input to a vulnerable plugin parameter that is concatenated into a backend SQL query. The injected query returns sensitive rows - for example administrator password hashes or secret keys from wp_users/wp_options - enabling further account takeover. …
Remediation No vendor-released patch identified at time of analysis; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/inet-webkit/vulnerability/wordpress-inet-webkit-plugin-1-2-4-sql-injection-vulnerability) for an updated fixed version and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: conduct inventory of all WordPress installations using iNET Webkit plugin and document current versions; audit which user accounts hold Contributor or higher roles. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57752 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy