Skip to main content

WP Inventory Manager CVE-2026-57772

| EUVDEUVD-2026-43392 HIGH
SQL Injection (CWE-89)
2026-07-13 Patchstack
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
7.1 HIGH

Network SQLi with low-privilege auth (PR:L) and no UI; primarily data disclosure (C:H) with limited write potential (I:L); scope kept Unchanged as injection stays within the DB security authority.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:36 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Inventory WP Inventory Manager wp-inventory-manager allows Blind SQL Injection.This issue affects WP Inventory Manager: from n/a through <= 2.4.0.

AnalysisAI

Blind SQL injection in the WP Inventory Manager WordPress plugin (versions up to and including 2.4.0) lets an authenticated attacker with low privileges inject crafted SQL into database queries, enabling extraction of arbitrary database contents such as user credentials and secrets. Reported by Patchstack, the flaw carries a CVSS 8.5 (scope-changed) rating; no public exploit has been identified at time of analysis and it is not listed in CISA KEV, so risk is currently theoretical but high-impact.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Send crafted parameter to plugin endpoint
Exploit
Inject blind SQL into backend query
Execution
Infer data via boolean/time responses
Impact
Exfiltrate credentials from WordPress database

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session at low privilege (CVSS PR:L) on a WordPress site running WP Inventory Manager version 2.4.0 or earlier, with network access to the affected plugin endpoint; no user interaction is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L) indicates a network-reachable, low-complexity attack requiring only low-privilege authentication and no user interaction, with high confidentiality impact and a changed scope - consistent with SQL injection reaching data beyond the plugin's own boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or registers a low-privilege authenticated account on the WordPress site submits a crafted parameter to a WP Inventory Manager endpoint, injecting boolean- or time-based SQL that the plugin passes unsanitized to the database. By observing response differences or delays, the attacker iteratively extracts sensitive data such as administrator password hashes and secret keys from the wp_users and wp_options tables. …
Remediation No vendor-released patched version is identified in the provided data (the range ends at <= 2.4.0 with no fix version named), so treat any release later than 2.4.0 as the target and verify a fixed build via the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wp-inventory-manager/vulnerability/wordpress-wp-inventory-manager-plugin-2-4-0-sql-injection-vulnerability?_s_id=cve) and the WordPress.org plugin page before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all WordPress installations using WP Inventory Manager versions 2.4.0 or earlier and restrict plugin access to trusted administrators only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57772 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy