Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Network-reachable WordPress plugin endpoint, unauthenticated SQLi (PR:N, AC:L); scope change to DB; I raised to L since SQLi rarely leaves integrity fully intact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in SpeakOut! Email Petitions <= 4.6.5 versions.
AnalysisAI
Unauthenticated SQL injection in the SpeakOut! Email Petitions WordPress plugin (versions ≤ 4.6.5) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. Reported by Patchstack and tracked as EUVD-2026-36960, the flaw carries a CVSS 3.1 score of 9.3 driven by a changed scope and network-reachable attack surface. No public exploit identified at time of analysis, but the trivial exploitability and WordPress plugin ecosystem make opportunistic mass-scanning likely.
Technical ContextAI
SpeakOut! Email Petitions is a WordPress plugin that lets site operators run online petition campaigns with email-based signature collection. The vulnerability is a classic CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) defect: user-controlled input is concatenated into a SQL statement reaching the underlying WordPress MySQL/MariaDB database without prepared statements or proper sanitization via $wpdb->prepare(). Because the CPE (cpe:2.3:a:speakout!:speakout!_email_petitions) covers all versions through 4.6.5 with no lower bound published, the injection point likely exists in a long-standing code path such as a petition signature, list, or admin endpoint that does not require authentication.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack advisory does not list a fixed version above 4.6.5 in the supplied data, so administrators should verify the plugin's WordPress.org page for a release newer than 4.6.5 before upgrading. As an immediate compensating control, deactivate and remove the SpeakOut! Email Petitions plugin entirely (trade-off: petition functionality is lost until a patched version ships), or place the WordPress site behind a Web Application Firewall such as Patchstack, Wordfence, or a cloud WAF with a virtual patch / SQLi ruleset for this CVE (trade-off: false positives on legitimate petition submissions and dependency on signature freshness). Restrict database privileges for the WordPress DB user to deny FILE, CREATE, and DROP where feasible to limit blast radius. Monitor the advisory at https://patchstack.com/database/wordpress/plugin/speakout/vulnerability/wordpress-speakout-email-petitions-plugin-4-6-5-sql-injection-vulnerability for fix release information.
More in Speakout Email Petitions
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36960
GHSA-cmrg-m5w9-wc4f