CVE-2026-32418

Vulnerability

Overview The Meow Gallery plugin for WordPress, versions up to and including 5.4.4, contains a blind SQL injection vulnerability due to improper neutralization of special elements used in an SQL command. This flaw allows an attacker to inject arbitrary SQL queries through the plugin's input handling, potentially leading to unauthorized database interaction.

Exploitation

Attackers can exploit this vulnerability without authentication, making it accessible to any remote user who can send crafted HTTP requests to a vulnerable WordPress site. The blind SQL injection nature means the attacker may not see direct output but can infer information through timing or error-based techniques, enabling them to extract sensitive data from the database.

Impact

Successful exploitation could allow an attacker to read, modify, or delete database contents. This includes stealing user credentials, session tokens, or other confidential information stored in the WordPress database. The vulnerability has been assigned a CVSS v3 score of 7.6 (High), indicating significant risk. Given that such vulnerabilities are often used in mass-exploit campaigns, the impact can be widespread.

Mitigation

The vendor has released version 5.4.5 to address this issue. Users are strongly advised to update immediately. For those unable to update, enabling auto-updates via Patchstack or consulting a hosting provider is recommended. No other workarounds have been provided. [1]