Skip to main content

Quotes llama EUVDEUVD-2026-39716

| CVE-2026-56062 CRITICAL
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-w84j-9mxx-58w2
9.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Unauthenticated network SQLi with low complexity gives AV:N/AC:L/PR:N/UI:N; database access yields C:H and plausible limited write (I:L), with scope change to the shared DB.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:58 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in Quotes llama <= 3.1.5 versions.

AnalysisAI

Unauthenticated SQL injection in the Quotes llama WordPress plugin (versions 3.1.5 and earlier) lets remote attackers without credentials inject malicious SQL through plugin input handling, exposing the WordPress database. The CVSS 3.1 base score of 9.3 reflects network reachability with no authentication and a scope change, meaning impact can reach beyond the plugin into the underlying database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Quotes llama ≤3.1.5
Delivery
Send crafted request to vulnerable parameter
Exploit
Inject SQL via unsanitized input
Execution
Database executes malicious query
Impact
Exfiltrate user and credential data

Vulnerability AssessmentAI

Exploitation Exploitation requires only that a target WordPress site has the Quotes llama plugin (version 3.1.5 or earlier) installed and active and that its vulnerable endpoint is reachable over the network; per the CVSS vector PR:N/UI:N/AC:L there is no authentication, no user interaction, and low complexity, so default installations are exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) describes a high-priority, easily reachable flaw: network attack vector, low complexity, no privileges, and no user interaction, all of which favor opportunistic and automatable exploitation typical of WordPress plugin SQLi. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker scans WordPress sites, identifies one running Quotes llama 3.1.5 or earlier, and sends a crafted HTTP request to the vulnerable plugin parameter with an injected SQL payload. Given AV:N/AC:L/PR:N/UI:N, no login or victim interaction is required, allowing automated tooling to extract sensitive database contents such as user records and password hashes. …
Remediation No vendor-released patch version was identified in the available data, so a specific fixed release cannot be cited - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/quotes-llama/vulnerability/wordpress-quotes-llama-plugin-3-1-5-sql-injection-vulnerability) for the latest fix status and upgrade to any release newer than 3.1.5 once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for Quotes llama plugin versions 3.1.5 and earlier; document affected systems and database criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39716 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy