Skip to main content

nicen-localize-image CVE-2026-57756

| EUVDEUVD-2026-41312 HIGH
SQL Injection (CWE-89)
2026-07-02 Patchstack GHSA-vf3q-vv2j-4h2g
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.5 HIGH

Contributor account required (PR:L) over the network with low complexity; SQLi reads data across DB scope (S:C, C:H) with minor availability effect and no integrity change.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:23 vuln.today

DescriptionCVE.org

Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions.

AnalysisAI

Authenticated SQL injection in the WordPress plugin nicen-localize-image (versions 1.4.9 and earlier) allows users holding the low-privilege Contributor role to inject arbitrary SQL into the WordPress database backend. Because the CVSS scope is changed and confidentiality impact is High, a Contributor can read data beyond the plugin's own remit, potentially extracting other users' credentials or secrets from the wp_users/wp_options tables. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor account on target site
Delivery
Access vulnerable plugin endpoint
Exploit
Inject SQL via unsanitized parameter
Execution
Query crosses scope to other tables
Impact
Exfiltrate credentials/secrets from database

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account with at least the WordPress Contributor role (CVSS PR:L) on a site running nicen-localize-image version 1.4.9 or earlier; no user interaction and no special product configuration beyond the plugin being active are needed (AV:N/AC:L/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L, base 8.5 High) indicates network-reachable, low-complexity exploitation requiring only low privileges (a Contributor account) and no user interaction, with a scope change amplifying impact and High confidentiality loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a Contributor account on a WordPress site running nicen-localize-image <= 1.4.9, then submits a crafted request to the plugin's vulnerable endpoint with a malicious SQL payload in a parameter that is concatenated into a database query. Leveraging the changed scope and High confidentiality impact, they extract sensitive data such as administrator password hashes or secret keys from other database tables. …
Remediation No vendor-released patch version is identified in the available data, so the primary action is to consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/nicen-localize-image/vulnerability/wordpress-nicen-localize-image-plugin-1-4-9-sql-injection-vulnerability) for the fixed release and upgrade to any version above 1.4.9 as soon as it is confirmed available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for nicen-localize-image usage and contributor role assignments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy