Skip to main content

WPGraphQL EUVDEUVD-2026-36975

| CVE-2026-40762 HIGH
SQL Injection (CWE-89)
2026-06-15 Patchstack GHSA-4x56-83j8-4m8f
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
7.5 HIGH

Network-reachable GraphQL endpoint with no auth (AV:N/PR:N/UI:N); AC:H reflects non-trivial injection path; SQLi reads DB across scope (S:C/C:H) with no confirmed write (I:N) and minor A:L.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:13 vuln.today
Patch available
Jun 15, 2026 - 22:02 EUVD

DescriptionCVE.org

Unauthenticated SQL Injection in WPGraphQL < 2.11.1 versions.

AnalysisAI

Unauthenticated SQL injection in the WPGraphQL WordPress plugin versions prior to 2.11.1 allows remote attackers to inject SQL through the plugin's GraphQL interface without any credentials. The flaw, tracked by Patchstack and assigned CVSS 7.5 with a scope-change impact, can lead to disclosure of database contents and partial availability impact on affected WordPress sites. No public exploit identified at time of analysis, but the unauthenticated nature and broad install base of WPGraphQL make patching urgent.

Technical ContextAI

WPGraphQL is a widely deployed WordPress plugin that exposes site data via a GraphQL API endpoint (typically /graphql) and translates GraphQL queries into WordPress database operations through wpdb. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input from a GraphQL query, argument, or filter is concatenated into a SQL statement without proper sanitization or parameterization. Because GraphQL resolvers in WPGraphQL ultimately call into WordPress's $wpdb layer, an unsanitized argument can break out of its intended SQL context and execute attacker-controlled SQL against the WordPress database. The CPE cpe:2.3:a:wpgraphql:wpgraphql confirms the plugin itself (not WordPress core) is the affected component.

RemediationAI

Upgrade the WPGraphQL plugin to version 2.11.1 or later, which is the vendor-released patch referenced in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-graphql/vulnerability/wordpress-wpgraphql-plugin-2-11-1-sql-injection-vulnerability. If immediate upgrade is not possible, deactivate the WPGraphQL plugin entirely (this will break any application, headless front end, or integration that depends on the /graphql endpoint), or restrict access to the GraphQL endpoint via web server / WAF rules - for example, blocking POST and GET requests to /graphql from untrusted networks or requiring authentication at the reverse proxy (this will also block any legitimate public GraphQL consumers). A WAF rule blocking common SQL injection payload patterns in GraphQL request bodies is a partial control but is unreliable for blind injection. After patching, audit WordPress access logs for unusual GraphQL queries and consider rotating any secrets stored in the WordPress database that could have been exfiltrated.

Share

EUVD-2026-36975 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy