CVE-2026-39530
Description
Unauthenticated SQL Injection in SpeakOut! Email Petitions plugin <=4.6.5 allows database compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL Injection in SpeakOut! Email Petitions plugin <=4.6.5 allows database compromise.
Vulnerability
An unauthenticated SQL injection vulnerability exists in the SpeakOut! Email Petitions plugin for WordPress, affecting versions 4.6.5 and earlier [1]. The vulnerability is triggered via crafted HTTP requests to vulnerable endpoints without requiring authentication.
Exploitation
An attacker can exploit this vulnerability by sending specially crafted SQL injection payloads in HTTP requests to the plugin's vulnerable parameters. No authentication or user interaction is required, and the attack can be performed remotely over the network [1].
Impact
Successful exploitation allows an attacker to directly interact with the database, including reading, modifying, or deleting data. This can lead to information disclosure, data corruption, or privilege escalation depending on the database user permissions [1].
Mitigation
Update the SpeakOut! Email Petitions plugin to version 4.6.5.1 or later, which contains the fix [1]. Alternatively, apply a mitigation rule from Patchstack to block attacks until an update can be applied [1]. If unable to update, contact your hosting provider or web developer for assistance.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=4.6.5
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.