Skip to main content

eMagicOne Store Manager EUVDEUVD-2026-31749

| CVE-2026-42773 CRITICAL
SQL Injection (CWE-89)
2026-05-25 Patchstack GHSA-5ffv-prf8-5rc6
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 08:30 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in eMagicOne eMagicOne Store Manager allows Blind SQL Injection.

This issue affects eMagicOne Store Manager: from n/a through 1.3.2.

AnalysisAI

Blind SQL injection in the eMagicOne Store Manager WordPress plugin (versions up to and including 1.3.2) allows remote unauthenticated attackers to inject malicious SQL through improperly sanitized parameters. With a CVSS 9.3 score and changed scope, successful exploitation can expose confidential database contents across the WordPress installation, though EPSS remains very low (0.03%) and no public exploit identified at time of analysis.

Technical ContextAI

The flaw is a CWE-89 SQL Injection affecting the eMagicOne Store Manager plugin for WordPress (CPE cpe:2.3:a:emagicone:emagicone_store_manager), a connector that bridges remote Store Manager desktop software with WooCommerce/WordPress stores. User-supplied input is concatenated into SQL queries without adequate neutralization of special characters, allowing attackers to alter query logic. Because responses do not return data directly, exploitation relies on blind techniques (boolean-based or time-based inference) where the attacker deduces information through behavioral differences in server responses.

RemediationAI

No vendor-released patch identified at time of analysis - the supplied references list the affected range as 'n/a through 1.3.2' without a fixed version, so administrators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/store-manager-connector/vulnerability/wordpress-emagicone-store-manager-plugin-1-3-2-sql-injection-vulnerability) and the eMagicOne vendor site for an updated build above 1.3.2 and apply it immediately when released. Until then, deactivate the Store Manager Connector plugin on production WordPress installations where the desktop sync feature is not essential, or restrict access to the plugin's REST/AJAX endpoints with a WAF rule blocking SQL meta-characters and tautology patterns (side effect: legitimate Store Manager desktop clients may lose connectivity); additionally enforce least-privilege on the WordPress database user to limit the blast radius of any successful injection, accepting that this does not prevent confidentiality loss within accessible tables.

Share

EUVD-2026-31749 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy