CVE-2026-39441

Vulnerability

Unauthenticated SQL Injection exists in the Feed KuantoKusta for WooCommerce – Free plugin for WordPress, affecting versions 5.3 and earlier [1]. The vulnerability occurs in an unauthenticated context, meaning no user login is required to exploit it. The exact code location is not publicly detailed but involves insufficient sanitization of user-supplied input in a query [1].

Exploitation

An attacker can exploit this vulnerability without authentication by sending a crafted HTTP request containing SQL injection payload to a vulnerable endpoint exposed by the plugin [1]. No special network position or user interaction is needed. The attack can be automated, making it suitable for mass exploitation campaigns [1].

Impact

Successful exploitation allows an attacker to directly interact with the WordPress database [1]. This can result in information disclosure (e.g., extracting sensitive data like user credentials, post content), data modification, or potentially gaining administrative access to the site. The CVSS v3 score is 9.3 (Critical) [1].

Mitigation

Update to version 5.3.1 or later, which contains the fix [1]. For users who cannot update immediately, Patchstack provides a mitigation rule that blocks attacks until the patch is applied [1]. The vulnerability is expected to be exploited in mass campaigns, so rapid action is advised [1].