Wc Vendors Marketplace
Monthly
SQL injection in the WC Vendors Marketplace WordPress plugin (versions <= 2.6.8) allows authenticated users holding only a low-privilege Subscriber-level account to inject arbitrary SQL into backend queries. Reported by Patchstack and tracked as CVE-2026-54838 (CWE-89), the flaw carries a CVSS 8.5 with a scope change, reflecting that a minimally-privileged marketplace account can read sensitive data across the WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
The WC Vendors Marketplace WordPress plugin before 2.4.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in the WC Vendors Marketplace WordPress plugin (versions <= 2.6.8) allows authenticated users holding only a low-privilege Subscriber-level account to inject arbitrary SQL into backend queries. Reported by Patchstack and tracked as CVE-2026-54838 (CWE-89), the flaw carries a CVSS 8.5 with a scope change, reflecting that a minimally-privileged marketplace account can read sensitive data across the WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
The WC Vendors Marketplace WordPress plugin before 2.4.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.