Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Network-reachable injection needing only a Subscriber account (PR:L) with no UI; SQLi yields high data disclosure (C:H) and plausible limited data modification (I:L), scored S:U absent evidence of cross-system impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions.
AnalysisAI
SQL injection in the WC Vendors Marketplace WordPress plugin (versions <= 2.6.8) allows authenticated users holding only a low-privilege Subscriber-level account to inject arbitrary SQL into backend queries. Reported by Patchstack and tracked as CVE-2026-54838 (CWE-89), the flaw carries a CVSS 8.5 with a scope change, reflecting that a minimally-privileged marketplace account can read sensitive data across the WordPress database. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the WC Vendors Marketplace plugin installed and active at version 2.6.8 or earlier, plus an authenticated WordPress account at Subscriber level or higher (CVSS PR:L) - the attacker must be able to log in, so a fully unauthenticated visitor cannot trigger it. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L) describes a network-reachable, low-complexity attack requiring low privileges and no user interaction, yielding high confidentiality impact, low availability impact, and a scope change - a credible 8.5 'High'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free Subscriber account on a WordPress marketplace running WC Vendors Marketplace 2.6.8 or earlier, then sends a crafted request to a vulnerable plugin endpoint with malicious SQL in a parameter. Because the input is concatenated into a database query, the attacker extracts data from other tables - such as user records, password hashes, or order information - beyond their own account scope. … |
| Remediation | No vendor-released patch version is identified in the available data, so the primary action is to upgrade to the first release later than 2.6.8 published by Rymera Web Co once available and to monitor the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wc-vendors/vulnerability/wordpress-wc-vendors-marketplace-plugin-2-6-8-sql-injection-vulnerability) and the official WC Vendors changelog for the exact fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress installations using WC Vendors Marketplace plugin versions 2.6.8 or below. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wc Vendors Marketplace
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39368
GHSA-837c-38p7-p5rv