CVE-2026-32458

Vulnerability

Overview

The WOLF bulk-editor plugin for WordPress, versions up to and including 1.0.8.7, contains a blind SQL injection vulnerability due to improper neutralization of special elements used in an SQL command [1]. This flaw allows an attacker to inject malicious SQL queries through user-supplied input that is not properly sanitized before being used in database operations.

Exploitation

Attackers can exploit this vulnerability without requiring authentication, making it accessible to any remote attacker who can send crafted requests to the vulnerable plugin [1]. The blind nature of the injection means the attacker may not see direct error output but can infer database contents through boolean-based or time-based techniques.

Impact

Successful exploitation enables an attacker to directly interact with the underlying database, potentially leading to data theft, including sensitive information such as user credentials, personal data, or other stored content [1]. The CVSS v3 score of 7.6 (High) reflects the significant confidentiality impact achievable through this vector.

Mitigation

The vendor has released version 1.0.9 which resolves the vulnerability. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, contacting a web developer or hosting provider should be consulted for alternative mitigations [1].